Ransomware Activity Tracker 2026

The Gentlemen Ransomware Claims 10 Victims in 24h

Statistical Overview

Victim Totals

• This month: 602
• This quarter: 2145
• Year to date: 4766
• Last 24h: 25

Quarterly Breakdown

Q1: 2631 | Q2: 2145 | Q3: 0 | Q4: 0

Ransomware activity continues at a consistent pace, with the current quarter tracking near Q1's high volumes. The 25 new victims reported in the last 24 hours show a consistent operational tempo from various threat actors.

Introduction

Ransomware operators reported 25 new victims, with The Gentlemen as the most active group, claiming 10 incidents. Qilin (6) and Aur0ra (4) were also active. Targeting was diverse, with significant activity in Technology/Software and Professional Services. Most impacted organizations were in the United States and Canada.

Ransomware Summary Table

The Gentlemen led ransomware activity this period, claiming 10 victims across sectors like Technology/Software and Transportation & Logistics. Qilin (6) and Aur0ra (4) also reported activity, continuing a trend seen in recent reporting on latest ransomware groups. Qilin, for instance, claimed the Central Bank of Libya as a victim, matching its presence in recent ransomware victim updates and showing a continued focus on critical infrastructure targets. CMD, DragonForce, and Akira also contributed to attacks impacting manufacturing, education, and retail.

Victim Distribution

By Country

• United States: 9
• Canada: 4
• Thailand: 2
• India: 2
• Germany: 2
• Netherlands: 1
• Taiwan: 1
• Austria: 1
• Libya: 1
• Japan: 1

By Industry

• Education: 2
• Manufacturing: 2
• Civil Engineering: 1
• Telecommunications: 1
• Real Estate: 1
• Occupational Health and Employment Testing: 1
• Logistics and Freight Forwarding: 1
• Insurance: 1
• Financial Services: 1
• Design Services: 1

The United States and Canada remain primary targets for ransomware operators, accounting for over half of the reported incidents. While no single industry dominates, attacks are distributed across many sectors, suggesting opportunistic targeting or specific campaigns by individual groups.

Ransomware News

Topline

Recent intelligence shows ongoing ransomware campaigns exploiting critical vulnerabilities, significant law enforcement disruptions against established malware infrastructure, and rising regional cybercrime threats.

Campaigns & Operations

Global law enforcement, via Operation Endgame, disrupted the SocGholish malware infrastructure, taking down 106 domains and remediating nearly 15,000 compromised WordPress sites previously used to deploy ransomware and other malware. This activity was historically linked to Evil Corp. This action coincides with an INTERPOL warning on a surge in cybercrime across the Asia-Pacific region, including approximately 135,000 ransomware attacks recorded in 2024. These attacks are driven by AI-powered social engineering and the industrialization of scam operations.

Vulnerabilities & TTPs

At the same time, CISA identified active exploitation of CVE-2026-35273, a critical unauthenticated remote access vulnerability in Oracle PeopleSoft Enterprise PeopleTools, which is being used in ransomware attacks to gain control of ERP environments.

Analyst Note

These developments show the complex nature of the ransomware threat, involving both opportunistic exploitation and organized criminal infrastructure.

Technical Takeaways

• The Gentlemen claimed 10 of 25 new ransomware victims, making it the most active operator.
• Qilin claimed 6 victims, including the Central Bank of Libya, showing a focus on critical infrastructure.
• North America, particularly the United States and Canada, remains a primary geographic target.
• Technology/Software, Professional Services, Education, and Manufacturing industries saw significant ransomware activity.
• A critical zero-day vulnerability, CVE-2026-35273 in Oracle PeopleSoft, is actively exploited in ransomware attacks.
• International law enforcement disrupted the SocGholish malware infrastructure, often used for ransomware deployment, and remediated nearly 15,000 WordPress sites.
• INTERPOL reported approximately 135,000 ransomware attacks in the Asia-Pacific region during 2024, showing an increase in AI-driven cybercrime.

Why The Gentlemen Ransomware Group Stands Out

The Gentlemen ransomware group's ability to claim 10 victims within a single 24-hour window signals a highly coordinated and operationally mature threat actor. Unlike opportunistic groups, their targeting across multiple geographies — including the United States and Thailand — suggests pre-planned infrastructure and established access broker relationships.

• Diverse sector targeting increases ransom pressure options
• Multi-country operations complicate law enforcement response
• High victim volume may indicate automated intrusion tooling
• See also: Ransomware Group Profiles
• Related: Most Active Ransomware Groups This Quarter

Organizations in Technology and Logistics sectors should treat this group as an elevated near-term threat.

Ransomware Defense Recommendations for Targeted Sectors

With Technology/Software and Professional Services among the hardest-hit sectors in this reporting window, organizations in these industries should prioritize immediate defensive actions to reduce exposure.

• Audit and restrict RDP and VPN access points
• Enforce multi-factor authentication across all remote access
• Patch internet-facing systems on an accelerated schedule
• Conduct tabletop exercises simulating ransomware scenarios
• Maintain offline, tested backups following the 3-2-1 rule
• See also: Ransomware Incident Response Checklist

Proactive hardening remains the most cost-effective defense against groups operating at the tempo demonstrated here.

Geographic Hotspots in This Reporting Period

The United States and Canada accounted for the majority of victim organizations identified in this 24-hour reporting window, consistent with longer-term trends showing English-speaking economies as primary ransomware targets. Taiwan and the Netherlands also appeared, reflecting the increasingly global reach of groups like Qilin and Aur0ra.

• United States: highest absolute victim count
• Canada: notable media sector targeting by The Gentlemen
• Taiwan: Qilin's telecommunications focus continues
• Netherlands and Austria: Aur0ra targets European professional services
• Related: Ransomware Victims by Country

Geographic diversification by threat actors complicates attribution and response coordination across jurisdictions.

LockBit Claims 5 Victims in 24h Ransomware Leaks

Statistical Overview

Victim Totals

• This month: 316
• This quarter: 1861
• Year to date: 4485
• Last 24h: 13

Quarterly Breakdown

Q1: 2631 | Q2: 1861 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while substantial at 1861 victims, was lower than Q1's 2631 victims. The last 24-hour period recorded 13 new victims across diverse sectors and geographies.

Introduction

Recent ransomware activity included 13 new victims, with LockBit affiliates as the most active group, responsible for five incidents. NightSpire had three new victims, while several other groups each claimed one. Targeted sectors were diverse, affecting manufacturing, government, healthcare, and technology entities in multiple global regions. The United States experienced the highest concentration of attacks. For more on current threats, see understanding LockBit's operations.

Ransomware Summary Table

LockBit had five reported victims, targeting manufacturing and construction & engineering firms primarily in Thailand and Colombia. NightSpire had three victims, affecting U.S. government/public sector and healthcare entities, including the Silsbee Police Department and Blue Nile Medical Center. Other groups such as DragonForce, Nova (RALord), SLSH, Securotop, and Shadowbyt3s each had one victim. This suggests fragmented and opportunistic targeting across industries and geographies. SLSH, for example, impacted an international organization (Coe.int), and Shadowbyt3s listed Nintendo.com.

Victim Distribution

By Country

• United States: 5
• Canada: 1
• Colombia: 1
• Finland: 1
• France: 1
• Germany: 1
• Indonesia: 1
• Thailand: 1
• United Kingdom: 1

By Industry

• Real Estate: 1
• Hardware and Construction Materials: 1
• Machinery Manufacturing: 1
• International Organization: 1
• Construction: 1
• Regulatory Body: 1
• Industrial Equipment Maintenance: 1
• Design: 1
• Healthcare: 1
• Law Enforcement: 1

The United States remains the primary target country, with many incidents reported. Industry targeting is diverse, with no single dominant sector, suggesting a mix of opportunistic and broad attack vectors, particularly affecting critical functions such as law enforcement and healthcare. This diversity shows the relevance of monitoring ransomware trends targeting critical infrastructure.

Ransomware News

Topline

No significant new ransomware developments or campaign shifts were observed within the recent collection period.

Campaigns & Operations

No new campaigns, shifts in operator tactics, or significant incidents involving named threat actors were identified.

Vulnerabilities & TTPs

There were no reports of newly exploited vulnerabilities or changes in adversary tradecraft this period.

Analyst Note

Current activity remains consistent with previously observed patterns, without immediate indications of emerging threats.

Technical Takeaways

• LockBit remains the most active ransomware group recently, with five new victims across diverse sectors.
• The United States is the most frequently targeted country, accounting for five out of 13 recorded incidents.
• Ransomware targeting shows high industry diversity, affecting sectors from Manufacturing and Construction to Government, Healthcare, and Technology.
• NightSpire targeted critical sectors, including Government/Public Sector and Healthcare, in the United States.
• The overall ransomware activity for the current quarter, though substantial, was lower than the previous quarter.

LockBit Targeting Patterns and Sector Impact

LockBit affiliates continue to demonstrate sophisticated target selection across multiple industries. In this 24-hour window, their five victims spanned manufacturing and construction sectors across Thailand and Colombia, reflecting deliberate geographic diversification.

• Manufacturing remains a top target due to operational disruption leverage
• Construction & Engineering firms often lack mature incident response capabilities
• Affiliates exploit exposed RDP endpoints and unpatched VPN appliances
• Double extortion tactics pressure victims through data leak threats

Organizations in these sectors should prioritize ransomware readiness assessments and offline backup validation to reduce exposure to affiliate-driven campaigns.

Geographic Concentration of Ransomware Attacks

The United States recorded the highest attack concentration in this reporting period, consistent with long-term trends. NightSpire's three US-based victims included a medical center and a police department, highlighting critical infrastructure targeting.

• Indonesia and Thailand reflect growing Asia-Pacific exposure
• United Kingdom faced DragonForce activity in professional services
• Colombia continues to appear in Latin American targeting patterns

Regional variance suggests affiliates operate across time zones to maximize disruption windows. Global defenders should monitor threat intelligence feeds for emerging geographic clusters and coordinate with sector-specific ISACs for timely indicator sharing.

Defending Against Multi-Group Ransomware Campaigns

When multiple ransomware groups are simultaneously active, defenders face compounded detection and response challenges. This 24-hour period involved at least five distinct threat actors, each employing varied tactics.

• Implement network segmentation to contain lateral movement
• Deploy endpoint detection and response (EDR) with behavioral analysis
• Enforce multi-factor authentication on all remote access points
• Conduct tabletop exercises simulating concurrent ransomware incidents
• Maintain tested, immutable backups stored offline or in air-gapped environments

Proactive threat hunting and cross-team coordination remain essential as ransomware-as-a-service ecosystems lower the barrier for new affiliates to launch high-impact attacks.

LockBit Ransomware Claims 3 Victims in 24h

Statistical Overview

Victim Totals

• This month: 303
• This quarter: 1848
• Year to date: 4472
• Last 24h: 8

Quarterly Breakdown

Q1: 2631 | Q2: 1848 | Q3: 0 | Q4: 0

Ransomware activity continues, with Q2 activity maintaining a pace, though slightly lower than Q1 totals. The last 24 hours show a modest victim count across multiple groups.

Introduction

Eight new ransomware victims were recorded in the last 24 hours, showing continued threat activity. LockBit remained the most active group, accounting for three incidents. Other groups, including 3AM, Krybit, Payload, Shadowbyt3s, and Stormous, added to the varied threats. Targets included manufacturing, retail, legal, energy, and media sectors, with affected organizations distributed globally.

Ransomware Summary Table

LockBit reported three victims, mainly impacting manufacturing and retail entities in Hong Kong and China. Shadowbyt3s targeted a Japanese video game and electronics company. Groups 3AM, Krybit, Payload, and Stormous each accounted for one victim. These collectively affected legal services, energy & utilities, and technology sectors in the United States, China, and Malaysia.

Victim Distribution

By Country

• China: 2
• Malaysia: 2
• Brazil: 1
• Hong Kong: 1
• Japan: 1
• United States: 1

By Industry

• Automotive Parts Distribution: 1
• Manufacturing: 1
• Renewable Energy: 1
• Retail and Distribution: 1
• Video Games and Electronics: 1
• Information Technology and Services: 1
• Intellectual Property Services: 1
• Legal Services: 1

The victim distribution shows a geographic spread, with China and Malaysia each experiencing two incidents. Brazil, Hong Kong, Japan, and the United States each had one. Industrially, ransomware operators target many sectors, from automotive parts and manufacturing to renewable energy, retail, legal services, and the video games industry.

Ransomware News

Topline

Law enforcement efforts against ransomware infrastructure and operators have had recent successes, including a crypto-laundering service takedown and a guilty plea from a Conti ransomware group member.

Campaigns & Operations

An international law enforcement operation, coordinated by the US Secret Service, IRS Criminal Investigation, Polish Police, Europol, and Eurojust, dismantled AudiA6, a crypto-laundering platform. This service laundered over EUR 336 million for various criminal groups, including ransomware operators, between 2022 and 2025. The operation arrested two administrators in Georgia and seized infrastructure. Separately, Oleksii Lytvynenko, a member of the Conti ransomware group, pleaded guilty to conspiracy to commit wire fraud. Lytvynenko admitted involvement in attacks impacting over 1,000 victims and extorting more than $150 million.

Vulnerabilities & TTPs

The AudiA6 platform used thousands of fraudulent exchange accounts, opened with stolen or purchased identities, to obscure transactions. This gave ransomware operators a rapid method for asset conversion. Lytvynenko's activities within Conti involved developing malware used in widespread attacks, showing a persistent threat from established ransomware groups and their changing tactics.

Analyst Note

These actions demonstrate ongoing international efforts to disrupt ransomware operations by targeting their technical infrastructure and the individuals involved.

Technical Takeaways

• LockBit is active, with three new victims in manufacturing and retail sectors.
• Ransomware targets are geographically varied, with incidents in Asia, Europe, and the Americas.
• Shadowbyt3s targeted a video game company in the media and entertainment sector. This shows varied impact on organizations.
• Smaller ransomware groups (3AM, Krybit, Payload, Stormous) add to the threats, each with single victim counts.
• Victim industries cover many types, from critical sectors like energy to services like legal and intellectual property. This indicates opportunistic targeting.

DragonForce Ransomware Claims 7 Victims in 24h

Statistical Overview

Victim Totals

• This month: 295
• This quarter: 1840
• Year to date: 4464
• Last 24h: 37

Quarterly Breakdown

Q1: 2631 | Q2: 1840 | Q3: 0 | Q4: 0

Ransomware activity continues, with 37 new victims recorded in the last 24 hours. This adds to a total of 1840 victims this quarter. Activity comes from operations including DragonForce, M3RXDLS, and DireWolf.

Introduction

Ransomware operators posted 37 new victims in the last 24 hours. DragonForce (7 victims), M3RXDLS (6 victims), and DireWolf (4 victims) were responsible for most activity. Key sectors targeted include Real Estate, Manufacturing, and Construction & Engineering, affecting the United States and the United Arab Emirates. Qilin ransomware affiliates have been linked to a critical VPN vulnerability, CVE-2026-50751, and are actively exploiting it.

Ransomware Summary Table

DragonForce and M3RXDLS were the most active ransomware groups, with 7 and 6 new victims respectively. DragonForce focused on Real Estate and Manufacturing in the United Arab Emirates, while M3RXDLS targeted Construction & Engineering and Transportation & Logistics firms, primarily in Canada and Costa Rica. Recent reporting details DragonForce's activity across various sectors. M3RXDLS has also shown activity recently. SLSH impacted Telecommunications and Retail & Ecommerce within the United States, claiming American Tower Corporation and JCPenney. The Anubis group carried out a targeted attack against the Adriatic Port Authority in France, disrupting critical infrastructure.

Victim Distribution

By Country

• United States: 13
• United Arab Emirates: 4
• Hong Kong: 2
• Canada: 2
• Spain: 2
• Thailand: 1
• Uruguay: 1
• Bolivia: 1
• Brazil: 1
• Colombia: 1

By Industry

• Construction: 2
• Engineering Services: 2
• Legal Services: 1
• Hospitality: 1
• Security and Investigations: 1
• Design Services: 1
• Entertainment: 1
• Furnishings, Fixtures & Appliances: 1
• Information Technology Services: 1
• Investment Banking: 1

The distribution shows ongoing targeting of North American entities, especially in the United States, along with attacks in the Middle East and parts of Europe. Various industries are affected, with Construction, Engineering, and Real Estate sectors frequently impacted. This shows consistent targeting of operational and infrastructure-related businesses.

Ransomware News

Topline

Recent intelligence shows Qilin affiliates exploiting a critical vulnerability, a large cryptocurrency laundering service takedown, and information on new ransomware operations like The Gentlemen and an Anubis incident.

Campaigns & Operations

Qilin ransomware affiliates exploit CVE-2026-50751, a critical authentication bypass vulnerability in Check Point Remote Access VPNs. The Anubis ransomware group launched a targeted operation against the Adriatic Port Authority. They used spear-phishing (T1190) for initial access, which resulted in data exfiltration and operational disruption. The Gentlemen, tracked as Phantom Mantis and operating as an AI-enhanced Ransomware-as-a-Service, has claimed 478 victims. They often gain initial access through exposed VPNs and edge devices like Cisco and Fortinet FortiGate. The operation includes a self-spreading worm mode and multi-version ransomware for various operating systems. Law enforcement agencies, including Europol and the DOJ, dismantled AudiA6, a cryptocurrency laundering service that had processed over €336 million for ransomware gangs and cybercriminals.

Vulnerabilities & TTPs

Exploiting critical vulnerabilities such as CVE-2026-50751 in Check Point VPNs is a key way groups like Qilin gain initial access. Anubis gained initial access through spear-phishing (T1190), while The Gentlemen uses exposed VPNs and edge devices. The Gentlemen's operations include a Go-based payload with hybrid encryption, a self-spreading worm capability, and post-exploitation tooling such as NetExec and EDR killers.

Technical Takeaways

• Qilin ransomware affiliates actively exploit CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN.
• "The Gentlemen" ransomware (Phantom Mantis) has advanced features like a self-spreading worm mode and cross-platform targeting (Windows, Linux, ESXi).
• Spear-phishing (T1190) remains an effective initial access method for ransomware operations, as demonstrated by Anubis.
• The dismantling of the AudiA6 crypto laundering service shows ongoing law enforcement efforts to disrupt ransomware financial infrastructure.
• Ransomware groups continue to target the Manufacturing, Real Estate, and Construction & Engineering sectors globally, with a concentration in the United States and United Arab Emirates.

DragonForce Ransomware: Tactics and Targeting Patterns

DragonForce has emerged as a persistent threat actor with a clear preference for high-value targets in the Middle East and Asia-Pacific regions. Key operational characteristics include:

• Double extortion model: Data exfiltration before encryption maximizes leverage
• Sector focus: Real estate, manufacturing, and construction firms are primary targets
• Geographic concentration: UAE and Bahrain account for the majority of recent victims
• Affiliate structure: Operates a ransomware-as-a-service (RaaS) model attracting experienced affiliates

Organizations in these sectors should prioritize endpoint detection and network segmentation to reduce exposure. See our DragonForce threat profile

Understanding the 24-Hour Victim Surge

A spike of 7 victims claimed by a single group within 24 hours signals either a coordinated campaign or exploitation of a newly disclosed vulnerability. Analysts should consider:

• Opportunistic timing: Ransomware groups often accelerate attacks after major vulnerability disclosures
• Pre-positioned access: Threat actors may have established footholds weeks before encryption
• Automated deployment: Modern ransomware tooling enables rapid, parallel victim processing
• Negotiation pressure tactics: High victim counts force faster ransom decisions

Tracking velocity trends alongside victim totals provides early warning of escalating campaigns. Explore our ransomware velocity tracker

Defensive Recommendations for Targeted Sectors

With real estate and manufacturing firms consistently appearing in DragonForce victim lists, sector-specific defenses are critical:

• Patch management: Prioritize internet-facing VPN and remote access infrastructure immediately
• Backup isolation: Maintain offline, immutable backups tested monthly
• Access controls: Enforce MFA across all administrative and remote access accounts
• Threat intelligence subscriptions: Monitor ransomware leak sites for early breach indicators
• Incident response planning: Establish pre-negotiated IR retainer agreements before an incident occurs

Proactive hardening remains the most cost-effective defense against ransomware operators at this activity level.

Qilin Ransomware Claims 18 Victims in 24h

Statistical Overview

Victim Totals

• This month: 258
• This quarter: 1803
• Year to date: 4427
• Last 24h: 39

Quarterly Breakdown

Q1: 2631 | Q2: 1803 | Q3: 0 | Q4: 0

Ransomware activity remains significant this quarter, with 39 new victims reported in the last 24 hours. The volume for Q2 currently stands at 1803, indicating continued operations from groups like Qilin, The_Gentlemen, and DragonForce.

Introduction

In the last 24 hours, ransomware operators listed 39 new victims across various sectors. Qilin was the most active group, accounting for 18 victims, primarily affecting the Energy & Utilities and Manufacturing sectors. Other groups included The_Gentlemen with 6 victims and DragonForce with 4. Attacks covered various targets, including a significant number of law firms.

Ransomware Summary Table

The summary table shows Qilin's significant activity, responsible for nearly half of all listed victims, with a focus on Energy & Utilities and Manufacturing. Groups like The_Gentlemen and DragonForce also operated consistently, attacking Government, Financial Services, and Real Estate. Prinz Eugen targeted a prominent Financial Services institution, Standard Bank Group, in South Africa. For more information on groups like Qilin and DragonForce, see our analysis on ransomware victims updates.

Victim Distribution

By Country

• United States: 22
• United Kingdom: 2
• Japan: 2
• India: 2
• Brazil: 1
• Turkey: 1
• Thailand: 1
• South Korea: 1
• South Africa: 1
• Philippines: 1

By Industry

• Law Firms & Legal Services: 6
• Construction: 2
• Real Estate: 2
• Machinery Manufacturing: 2
• Jewelry Manufacturing: 1
• Advertising, Marketing & PR: 1
• Apparel Manufacturing: 1
• Civil Engineering: 1
• Computer Networking: 1
• Energy Efficiency Services: 1

The data shows a strong concentration of ransomware attacks against organizations in the United States, accounting for over half of all new victims. Law Firms & Legal Services was a leading target industry, suggesting a broader trend: professional services are often impacted by groups like The_Gentlemen ransomware.

Ransomware News

Topline

Law enforcement efforts disrupted a major cryptocurrency laundering service, while various threat actors targeted education, financial services, and Oracle PeopleSoft deployments.

Campaigns & Operations

Europol-led authorities dismantled the "AudiA6" cryptocurrency laundering service, arresting two administrators and seizing assets tied to over 15 international ransomware investigations. At the same time, the education sector faced multiple incidents. Great Marlow School in the UK confirmed a cyberattack, and Onslow County Schools in North Carolina experienced a districtwide outage that impacted phones and internet. ASEC reports ongoing BlackX ransomware campaigns against Korean and U.S. organizations. CrowdStrike's 2026 Financial Services Threat Report describes continued data-leak-and-ransom operations by Chinese and North Korean threat groups against financial services in the Asia-Pacific region.

Vulnerabilities & TTPs

ShinyHunters is actively exploiting a gadget chain of old and zero-day vulnerabilities to breach Oracle PeopleSoft deployments, affecting both cloud and on-prem instances and dropping ransom notes. North Korean campaigns frequently combine sophisticated social engineering, such as recruiter impersonation, with money-laundering networks. The dismantled AudiA6 service demonstrated a key TTP: it facilitated industrial-scale crypto laundering through thousands of fraudulent exchange accounts.

Analyst Note

These developments show the persistent nature of ransomware and cybercrime. These range from opportunistic exploitation to sophisticated state-sponsored financial operations and crucial law enforcement countermeasures.

Technical Takeaways

• Qilin remains an active ransomware group, significantly affecting the Energy & Utilities and Manufacturing sectors.
• The United States is the most frequently targeted country, with other targets across Europe and Asia.
• Law Firms & Legal Services was a concentrated target industry this period. This indicates a specific focus on sensitive data.
• The ShinyHunters group is using unpatched and zero-day vulnerabilities in Oracle PeopleSoft environments to exfiltrate data and deploy ransom notes.
• International law enforcement successfully disrupted a major cryptocurrency laundering operation, AudiA6. This highlights ongoing efforts to disrupt the financial systems that support ransomware.

World Leaks Ransomware Claims 6 New Victims in 24h

Statistical Overview

Victim Totals

• This month: 219
• This quarter: 1764
• Year to date: 4388
• Last 24h: 31

Quarterly Breakdown

Q1: 2631 | Q2: 1764 | Q3: 0 | Q4: 0

Cumulative figures show fewer reported victims this quarter compared to the previous one. New ransomware incidents remain a daily occurrence, demonstrating the persistent threat from diverse ransomware operators.

Introduction

In the past 24 hours, 31 new ransomware victims were reported across various sectors. World_Leaks, PEAR, Akira, LockBit, and Play News were the most active groups by victim count. Beyond these immediate trends, recent intelligence provides a detailed operational profile of the "The Gentlemen" ransomware group, including their ransomware-as-a-service model and alleged links to a significant healthcare breach. Qilin affiliates have also exploited critical vulnerabilities, showing how threats continue to evolve.

Ransomware Summary Table

World_Leaks was the top ransomware group in the recent 24-hour period with six victims, followed by PEAR (4) and Akira (3). Manufacturing, Financial Services, and Construction & Engineering were key sectors targeted. The United States remains the primary geographical target, accounting for half of the reported incidents. Notable victims include a large banking institution in Indonesia, listed by TripleX, and an education entity (delano.k12.mn.us) impacted by LockBit. Further insights into some of these groups can be found in our look at active ransomware groups, including World_Leaks ransomware activity and Akira's exploitation of VPN vulnerabilities.

Victim Distribution

By Country

• United States: 16
• India: 4
• Germany: 2
• China: 1
• United Kingdom: 1
• Sweden: 1
• Singapore: 1
• Norway: 1
• Jamaica: 1
• Italy: 1

By Industry

• Financial Services: 2
• Education: 2
• Banking: 1
• Wholesale Hardware, Plumbing, Heating Equipment: 1
• Transportation and Logistics: 1
• Traffic Signal Equipment Distribution: 1
• Telecommunications: 1
• Performing Arts: 1
• Non-Profit & Charitable Organizations: 1
• Legal Services: 1

Attacks remain concentrated in the United States, followed by India. Industry targeting is diversified, but critical sectors such as Financial Services, Education, Banking, Manufacturing, and Construction & Engineering remain a focus.

Ransomware News

Topline - Recent intelligence shows the operational dynamics of "The Gentlemen" ransomware, active exploitation of critical vulnerabilities, and challenges in victim validation.

Campaigns & Operations - "The Gentlemen" operates as a ransomware-as-a-service (RaaS) with a 90/10 revenue split for affiliates. It frequently targets internet-facing VPNs and firewalls for initial access. The group's administrator is reportedly linked to the Hastalamuerte/Zeta88 persona, potentially identifying Alexander Andreevich Yapaev. The group has been highly active, with hundreds of victims since mid-2025. This includes a significant ransomware-style intrusion at Rajagiri Hospital in India, which resulted in the exfiltration of over 800 GB of patient and administrative data. Separately, the Qilin ransomware group recently listed The Banyans Healthcare on its leak site. This entry was later clarified as a misattribution due to shared branding, which demonstrates the need for rigorous victim validation in threat intelligence.

Vulnerabilities & TTPs - Public reporting confirms active exploitation of CVE-2026-50751, a critical authentication bypass in Check Point VPN Remote Access, by Qilin ransomware affiliates. This vulnerability allows unauthenticated attackers to establish VPN sessions without valid credentials. Veeam Backup & Replication has also patched CVE-2026-44963, a critical remote code execution (RCE) flaw (CVSS 9.4) that permits authenticated domain users to execute arbitrary code on the Backup Server. Immediate patching is necessary because ransomware groups have historically exploited similar Veeam flaws. Post-compromise activity associated with CVE-2026-50751 has included data exfiltration via Rclone and potential Tox protocol usage.

Analyst Note - Detailed profiling of new and active RaaS operators, coupled with critical vulnerability exploitation, shows a persistent threat environment where rapid patching and strong validation processes are essential.

Technical Takeaways

• Ransomware-as-a-Service (RaaS) Model: "The Gentlemen" group operates a RaaS model, offering affiliates a 90/10 revenue split. This indicates a professionalized ransomware ecosystem.
• Initial Access Vectors: "The Gentlemen" primarily gain initial access by exploiting internet-facing VPNs and firewalls, a common tactic for many ransomware groups.
• Healthcare Sector Targeting: "The Gentlemen" have been linked to a major data exfiltration and encryption incident at Rajagiri Hospital, showing continued ransomware pressure on healthcare entities.
• Critical Vulnerability Exploitation: Qilin affiliates are exploiting CVE-2026-50751, an authentication bypass in Check Point VPN. This demonstrates rapid weaponization of newly disclosed critical vulnerabilities.
• Supply Chain Risk (Backup Solutions): The patched CVE-2026-44963 in Veeam Backup & Replication, a critical RCE flaw, emphasizes the importance of securing backup infrastructure. Ransomware groups frequently use such vulnerabilities.
• Threat Intelligence Validation: The misattribution incident involving Qilin and The Banyans Healthcare shows the critical need for meticulous validation of victim listings to prevent misinformation.

How World Leaks Ransomware Operates

World Leaks operates as a ransomware-as-a-service (RaaS) platform, enabling affiliates to deploy attacks across multiple sectors. Key operational characteristics include:

• Double extortion tactics: Data is exfiltrated before encryption, increasing pressure on victims
• Targeted sectors: Financial services and manufacturing remain primary targets
• Leak site infrastructure: Victims are publicly listed to compel ransom payment
• Geographic spread: Active across North America and South Asia simultaneously

Understanding their attack chain helps organizations prioritize defenses. See our guide on ransomware defense strategies for actionable mitigation steps.

Protecting Your Organization From Active Ransomware Groups

With 31 new victims reported in a single 24-hour window, proactive defense is critical. Organizations should implement the following measures immediately:

• Patch management: Qilin affiliates actively exploit unpatched vulnerabilities — prioritize critical CVEs
• Network segmentation: Limit lateral movement opportunities for ransomware operators
• Offline backups: Maintain immutable, tested backups to reduce recovery time
• Threat intelligence feeds: Monitor active groups like Akira, PEAR, and World Leaks for targeting shifts

Stay updated with our ransomware group tracker to monitor evolving threats in real time.

Why Ransomware Victim Counts Are Rising

The quarterly data reveals a troubling pattern — 1,764 victims this quarter continues a sustained wave of ransomware activity globally. Several factors are driving this trend:

• RaaS expansion: Lower barriers to entry allow more affiliates to launch attacks
• Healthcare and financial targeting: High-value data makes these sectors prime targets
• Underreporting: Actual victim counts likely exceed published figures significantly
• Evolving evasion techniques: Groups like "The Gentlemen" demonstrate increasingly sophisticated operational security

Tracking these trends is essential for security teams building resilient incident response programs.

Qilin Ransomware Claims 5 Victims in 24h

Statistical Overview

Victim Totals

• This month: 188
• This quarter: 1734
• Year to date: 4358
• Last 24h: 15

Quarterly Breakdown

Q1: 2631 | Q2: 1734 | Q3: 0 | Q4: 0

Ransomware activity remains consistent. 15 new victims were reported in the last 24 hours. The year-to-date total shows persistent threats; Q2 contributed significantly to overall victim numbers this year.

Introduction

Ransomware operations recorded 15 new victims. Qilin was the most active group, accounting for five publicly claimed incidents, followed by Akira, RansomHouse, and Termite. The United States remained the primary target geography, with various sectors impacted, including manufacturing, healthcare, and professional services.

Ransomware Summary Table

Qilin leads in reported victim count, showing continued activity across sectors like education and entertainment. Akira and RansomHouse also maintained operations, targeting hospitality, healthcare, and transportation sectors. The United States remains a primary geographical focus for multiple ransomware groups.

Victim Distribution

Which Geographies Experienced Ransomware Activity?

• United States: 6
• Australia: 2
• France: 2
• Hong Kong: 2
• Bahamas: 1
• Italy: 1
• Thailand: 1

Which Industries Were Most Targeted?

• Education: 1
• Healthcare Services: 1
• Law firm: 1
• Healthcare: 1
• Performing Arts: 1
• Airlines and Aviation: 1
• Traditional Chinese Medicine Manufacturing: 1
• Consumer Electronics: 1
• Manufacturing: 1
• Architecture and Interior Design: 1

Ransomware activity is concentrated in the United States. While no single industry dominates, many sectors, including manufacturing, healthcare, and various professional services, continue to experience attacks. This shows broad targeting rather than a narrow sectoral focus this period.

Ransomware News

Topline

Qilin ransomware activity is prominent in recent reporting, due to its exploitation of a significant Check Point zero-day vulnerability.

Campaigns & Operations

The Qilin operation has been linked to an authentication-bypass vulnerability (CVE-2026-50751) in Check Point Remote Access VPN, exploited since May 2026. This activity coincides with Qilin's claim against Australia's Tripod Farmers Group, part of its ransomware-as-a-service model affecting over 1,900 victims globally. Separately, Mandiant attributes a data-theft extortion campaign against US law and professional services firms to UNC3753, the Silent Ransom Group, employing advanced social engineering and legitimate remote access tools. An additional ransomware attack forced the closure of Evanston Township High School in Illinois.

Vulnerabilities & TTPs

Beyond Qilin's exploitation of CVE-2026-50751, threat actors are using IT/OT convergence to target industrial automation systems via engineering workstations and remote-access points. Silent Ransom Group's tactics include phishing, vishing, and the use of tools like AnyDesk, Zoho Assist, WinSCP, and Rclone for data exfiltration.

Analyst Note

These incidents demonstrate significant vulnerability exploitation, targeted data exfiltration, and the changing role of social engineering and dark web marketplaces in facilitating ransomware operations.

Technical Takeaways

• Qilin ransomware has been observed exploiting CVE-2026-50751, a significant authentication-bypass vulnerability in Check Point Remote Access VPN products.
• The United States remains the most frequently targeted country, facing many ransomware attacks across various industries.
• Ransomware operations increasingly use advanced social engineering techniques, including vishing and pretexts, to gain initial access and facilitate data exfiltration.
• Some groups, like Silent Ransom Group (UNC3753), are employing legitimate remote access tools and common file transfer utilities (e.g., AnyDesk, WinSCP, Rclone) for post-exploitation activities and data exfiltration.
• Threats to industrial automation systems continue to change, with targeted intrusions and ransomware exploiting IT/OT convergence points.

The Gentlemen Ransomware Claims 15 Victims

Statistical Overview

Victim Totals

• This month: 174
• This quarter: 1720
• Year to date: 4344
• Last 24h: 28

Quarterly Breakdown

Q1: 2631 | Q2: 1720 | Q3: 0 | Q4: 0

Ransomware incidents in Q2 show a substantial volume. The current 24-hour period reflects a consistent operational tempo compared to observed quarterly averages.

Introduction

The past 24 hours saw 28 new ransomware victims publicly reported across various platforms. The_Gentlemen group was the most active operator, claiming 15 victims. This significantly outnumbered other groups such as NightSpire (3), Payload (3), LockBit (2), and Qilin (2). Key sectors impacted included Transportation & Logistics, Education, Manufacturing, and Professional Services.

Ransomware Summary Table

The_Gentlemen ransomware group had 15 reported victims. This shows its high operational tempo and varied targeting, which has included healthcare and education in previous campaigns. Other active groups, including NightSpire and Payload, attacked professional services, manufacturing, and retail globally.

Victim Distribution

By Country

• United States: 8
• Taiwan: 3
• Thailand: 2
• India: 2
• Vietnam: 1
• United Kingdom: 1
• Argentina: 1
• Spain: 1
• Singapore: 1
• Poland: 1

By Industry

• Healthcare: 3
• Hospitality: 2
• Computer Peripherals and Electronic Components: 1
• Textile Manufacturing: 1
• Printing Services: 1
• Medical Device Manufacturing: 1
• Maritime Transportation: 1
• Industrial Distribution: 1
• Individual and Family Services: 1
• Construction: 1

Attack distribution shows broad-spectrum targeting across multiple geographies. The United States experienced the highest number of reported incidents. Healthcare had three victims, indicating a focus on critical service providers.

Ransomware News

Topline

Recent threat intelligence shows ransomware groups exploiting critical network vulnerabilities. They also use evolving obfuscation and infrastructure tactics to evade detection and takedown.

Campaigns & Operations

A Qilin ransomware affiliate exploits a critical Check Point VPN vulnerability (CVE-2026-50751). This allows bypassing user authentication in IKEv1 setups. Post-exploitation activity includes VPS infrastructure and Tox communications. The Silent Ransom Group (SRG) uses a fast-flux botnet to host its law firm data-leak sites. It leverages compromised consumer-grade routers and social engineering tactics for initial access.

Vulnerabilities & TTPs

The Check Point VPN flaw (CVE-2026-50751, CVSS 9.3) allows unauthenticated attackers to establish remote-access VPN sessions. Analysis of Play Ransomware's Grixba scanner shows a multi-stage evolution. This includes WMI/WinRM reconnaissance, RDP usage, and ntdll-based obfuscation. Earlier versions incorporated AMSI/WLDP bypasses. Later versions refined payload delivery.

Analyst Note

These developments show a trend toward exploiting critical vulnerabilities, using resilient C2 infrastructure, and continuously refining reconnaissance tools. This enhances ransomware operational effectiveness.

Technical Takeaways

• The The_Gentlemen ransomware group accounted for 15 new victims, making it the most active operator.
• Healthcare was the most targeted industry by victim count (3). There was also targeting across hospitality, manufacturing, and transportation.
• A Qilin ransomware affiliate exploits CVE-2026-50751 in Check Point VPNs. This shows a focus on supply chain and network infrastructure vulnerabilities.
• Ransomware operators like the Silent Ransom Group use fast-flux botnets and social engineering. This complicates site takedowns and initial access defense.
• Analysis of Play Ransomware's Grixba scanner shows continuous evolution in reconnaissance tooling, including WMI/WinRM abuse and ntdll-based obfuscation.

2 New Ransomware Victims in Diverse Sectors

Statistical Overview

Victim Totals

• This month: 146
• This quarter: 1692
• Year to date: 4317
• Last 24h: 2

Quarterly Breakdown

Q1: 2631 | Q2: 1692 | Q3: 0 | Q4: 0

Current ransomware activity shows a low volume of new victims but adds to larger quarterly and year-to-date totals. New incidents target various global locations.

Introduction

In the last 24 hours, two new ransomware victims were disclosed. Blackwater and Medusa Locker each claimed one victim. Targets included hospitality & travel and education sectors, in China and Costa Rica. Reports also indicated operations affecting U.S. law firms and an Indian healthcare institution.

Ransomware Summary Table

Ransomware activity during this period shows few new victims claimed by specific groups. Blackwater took one victim in China's hospitality and travel sector. Medusa Locker, a group that targets various industries, listed an education sector victim in Costa Rica. Learn more about this group's operations in our Medusa Locker ransomware victims analysis. Blackwater also listed a new victim, aligning with trends discussed in our Q2 ransomware intelligence report.

Victim Distribution

By Country

• China: 1
• Costa Rica: 1

By Industry

• Travel and Tourism: 1
• Education: 1

Even with few new victim disclosures, the distribution points to broad, opportunistic targeting across different regions and industries. Activity this period included the education sector, a frequent ransomware target as detailed in our report on Genesis Group ransomware victims. This shows ransomware groups continue to spread out their victim profiles instead of focusing on specific sectors.

Ransomware News

Topline

Recent ransomware developments show social engineering tactics remain effective and critical sectors face ongoing threats.

Campaigns & Operations

The Silent Ransom Group (UNC3753, Luna Moth, Chatty Spider) targets U.S. law firms and professional services. This campaign uses invoice-themed phishing, which makes victims call back impostor IT support. These calls lead to remote sessions where attackers install tools like AnyDesk for initial access and data exfiltration. The group often demands extortion within 30 minutes of data theft. Separately, the Chandrapur Cancer Care Foundation in India experienced a ransomware attack around June 1, 2026. This encrypted patient and administrative databases, severely disrupting operations.

Vulnerabilities & TTPs

The Silent Ransom Group's methods include voice phishing, using various remote access tools (AnyDesk, Zoho Assist, Bomgar, SuperOps) for system control, and tools like WinSCP or Rclone for data exfiltration. They minimize forensic traces by sharing commands via Privnote and using fast-flux infrastructure with residential IPs. No specific CVEs were linked to these incidents.

Analyst Note

These incidents show sophisticated social engineering attacks remain effective. Organizations, especially in sectors like legal and healthcare, need strong defenses.

Technical Takeaways

• Ransomware activity has a broad targeting scope, affecting various sectors and geographies with low victim volumes.
• Operators like Blackwater and Medusa Locker continue to claim victims in hospitality, travel, and education.
• The Silent Ransom Group uses sophisticated social engineering, including voice phishing and impersonation, to gain remote access and quickly exfiltrate data from professional services firms.
• Attackers use common remote access (AnyDesk, Zoho Assist) and data exfiltration (WinSCP, Rclone) tools, and evasion tactics like Privnote and fast-flux infrastructure.
• Attacks on critical infrastructure, such as the Chandrapur Cancer Care Foundation, show the severe operational impact and the need for strong offline backups and incident response plans.

Ransomware Groups Behind Recent Attacks

Understanding the threat actors behind these incidents is critical for defenders. Blackwater is a relatively emerging ransomware group that has begun targeting hospitality and travel organizations across Asia. Medusa Locker, by contrast, is a well-established ransomware-as-a-service (RaaS) operation known for:

• Targeting small-to-mid-sized organizations in education and healthcare
• Using phishing and RDP exploitation as primary vectors
• Demanding ransoms typically ranging from $10,000 to $50,000
• Operating double-extortion tactics to pressure victims

Learn more in our ransomware group profiles and Medusa Locker attack patterns deep dives.

Sectors Most Targeted by Ransomware in 2025

The hospitality and education sectors continue to attract ransomware operators due to historically weaker cybersecurity postures and valuable personal data. Key trends observed year-to-date include:

• Education: Schools and universities face budget constraints limiting security investment
• Hospitality & Travel: High volumes of payment card and passport data make these targets lucrative
• Healthcare: Ongoing pressure to pay ransoms quickly to restore critical systems
• Legal Services: Law firms targeted for sensitive client data and confidentiality leverage

These patterns align with our 2025 ransomware sector analysis, which tracks shifting attacker priorities across industries.

How Organizations Can Defend Against Ransomware

Despite low single-day victim counts, cumulative 2025 totals exceeding 4,300 victims highlight the persistent ransomware threat. Organizations in targeted sectors should prioritize:

• Implementing offline and immutable backups tested regularly
• Patching RDP and VPN vulnerabilities promptly
• Deploying endpoint detection and response (EDR) solutions
• Training staff to recognize phishing attempts
• Establishing an incident response plan before an attack occurs

Proactive defense remains far less costly than ransomware recovery. Explore our ransomware prevention checklist for actionable guidance tailored to small and mid-sized organizations.

Medusa Locker Ransomware Claims Six New Victims

Statistical Overview

Victim Totals

• This month: 144
• This quarter: 1690
• Year to date: 4315
• Last 24h: 18

Quarterly Breakdown

Q1: 2631 | Q2: 1690 | Q3: 0 | Q4: 0

Ransomware activity was moderate, with 18 new victims reported in the last 24 hours. The Q2 count of 1690 victims and year-to-date totals show global targeting continues.

Introduction

Ransomware groups posted 18 new victims on various leak sites in the past 24 hours. This shows a fragmented threat environment. Medusa Locker was the most active group, with six new incidents. Other groups included Anubis, CoinbaseCartel, INC_Ransom, and Krybit. Victim organizations were in sectors like Retail & Ecommerce, Transportation & Logistics, Construction & Engineering, Legal services, and Technology. Most targets were in the United States, with others across Brazil, China, India, Indonesia, and France.

Ransomware Summary Table

Medusa Locker was most active, affecting six organizations in Retail & Ecommerce and Transportation & Logistics. These included Académie de montpellier / csjm and Actionaid / tacosa, a non-profit. Multiple other groups, including Anubis, CoinbaseCartel, INC_Ransom, and Krybit, each claimed two new victims. Targets were spread geographically, affecting organizations in the United States, United Kingdom, Brazil, China, India, Indonesia, and France. Groups like CoinbaseCartel, whose activities have been tracked in earlier PurpleOps analyses on Q2 ransomware threats, focused on technology and telecommunications firms.

Victim Distribution

By Country

• United States: 7
• Brazil: 2
• None: 1
• United Kingdom: 1
• Tanzania: 1
• Australia: 1
• Mauritius: 1
• Indonesia: 1
• India: 1
• France: 1

By Industry

• Legal Services: 2
• IT Infrastructure Services: 1
• Telematics: 1
• None: 1
• Engineering and Architecture: 1
• E-Commerce and AI Technology: 1
• Automobile Dealers: 1
• Building and Mechanical Services: 1
• Non-profit Organization Management: 1
• Relocation and Moving Services: 1

The United States is a primary target for ransomware operators, accounting for over a third of new victims. However, the spread of victims from Tanzania to Brazil and India shows ransomware targets globally. Industry targeting is also broad, with legal services, technology, and engineering firms seeing activity, as did retail and logistics.

Ransomware News

Topline - No significant new ransomware news was collected from public sources during the analysis period.

Campaigns & Operations - No new high-profile incidents or major actor announcements were reported, and no campaign shifts beyond observed victim postings.

Vulnerabilities & TTPs - There were no new reports detailing exploitation of zero-day vulnerabilities or shifts in ransomware groups' tradecraft detected.

Analyst Note - Without new external developments, monitoring ongoing ransomware activity on leak sites continues.

Technical Takeaways

• Medusa Locker was the most active ransomware group, with six victims, mainly targeting Retail & Ecommerce and Transportation & Logistics. It remains a persistent threat, as detailed in PurpleOps real-time ransomware intelligence updates.
• Eight ransomware groups accounted for the 18 new victims, showing a fragmented threat environment.
• Geographic targeting was widespread. The United States was the most impacted country, followed by Brazil and other nations across Africa, Asia, and Europe.
• Industries affected included Legal Services, Construction & Engineering, Technology / Software, and Healthcare. This shows threat actors used a broad approach.
• Public service and non-profit organizations were among the victims, demonstrating that the impact extends beyond corporate entities.

Qilin Ransomware Activity Dominates Healthcare

Statistical Overview

Victim Totals

• This month: 126
• This quarter: 1672
• Year to date: 4297
• Last 24h: 27

Quarterly Breakdown

Q1: 2631 | Q2: 1672 | Q3: 0 | Q4: 0

While quarterly totals show a decrease from Q1, the consistent emergence of new victims indicates ongoing threat actor activity, particularly from Qilin, Play News, and Akira. Ransomware operations continue to impact many sectors globally.

Introduction

Twenty-seven new ransomware victims were disclosed in the last 24 hours. Qilin was the most active group, responsible for nine of these new listings. Other groups that added victims include Play News with four, and Akira and World_Leaks each with three. Healthcare, automotive, and the public sector were the primary targets, and the United States remained the most affected geography. Further analysis on Qilin's activities can be found in our detailed Qilin ransomware update.

Ransomware Summary Table

Qilin led in new victim disclosures, focusing on healthcare and hospitality. Targets include Central Florida Cosmetic & Family Dentistry by Qilin, sierravistahospital.com by LockBit, and Access Dental by World_Leaks, showing a continued emphasis on the healthcare sector. The Krum Public Library, listed under NightSpire, is also a critical public sector target. Insights into Akira's campaigns are available in our Akira ransomware intelligence, and World_Leaks's activities are detailed in our active ransomware groups report.

Victim Distribution

By Country

• United States: 15
• Canada: 3
• Germany: 2
• Zimbabwe: 1
• Austria: 1
• United Kingdom: 1
• Thailand: 1
• Slovenia: 1
• None: 1
• Netherlands: 1

By Industry

• Behavioral Health Services: 1
• Financial Services: 1
• Truck Transportation: 1
• Religious Institutions: 1
• Public Library: 1
• Motor Vehicle Parts Manufacturing: 1
• Medical Practice: 1
• Law Firms & Legal Services: 1
• Industrial Machinery & Equipment: 1
• Healthcare: 1

The United States remains the most targeted country by a wide margin because of its large economic footprint and diverse digital infrastructure. Industry targeting shows a fragmented distribution, with healthcare-related entities, automotive, and public sector organizations often appearing among the affected.

Ransomware News

Topline

Ransomware developments include both proactive law enforcement actions against criminal infrastructure and ongoing attacks by established and new threat groups targeting diverse sectors.

Campaigns & Operations

The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is known for its data-theft driven extortion model. It employs a fast-flux DNS botnet to conceal its infrastructure and primarily targets data-rich sectors such as law firms.

Separately, the Karl Auto Group experienced a cyberattack that disrupted its Iowa dealerships. RansomHouse claimed responsibility for encrypting Karl Chevrolet systems and potentially exposing sensitive customer data. The Krum Public Library in Texas reported a ransomware incident that disrupted its computer services, leading to an extortion demand and forensic investigation.

Vulnerabilities & TTPs

SRG's operational security relies on a fast-flux DNS botnet that rotates multiple A-record IPs via public resolvers tied to residential ISPs, using ECS spoofing to mask geographic diversity. In a law enforcement action, a global operation led by the Netherlands and France, with Europol and Eurojust, dismantled First VPN. This Russian-language service provided anonymized infrastructure for ransomware operators, and the operation seized 33 servers and took down associated domains.

Technical Takeaways

• Qilin is currently the most active ransomware group, frequently targeting the healthcare sector.
• The United States remains the primary geographical target for ransomware operations.
• At least ten distinct ransomware groups disclosed victims.
• Tradecraft, such as the Silent Ransom Group's fast-flux DNS botnet, continues to be employed by threat actors.
• International law enforcement efforts are disrupting critical services, like First VPN, used by ransomware operators for operational security.

Diverse Ransomware Activity Sees 14 New Victims

Statistical Overview

Victim Totals

• This month: 99
• This quarter: 1645
• Year to date: 4270
• Last 24h: 14

Quarterly Breakdown

Q1: 2631 | Q2: 1645 | Q3: 0 | Q4: 0

Ransomware activity maintains a consistent pace, with this quarter's victim count indicating sustained threat actor operations. The total new victims in the last 24 hours align with a steady pattern observed across the year.

Introduction

The past 24 hours saw 14 new ransomware victims reported, reflecting ongoing threat actor operations across various sectors. Active groups included Akira (2), DragonForce (2), Genesis (2), and INC Ransom (2), alongside others like Anubis (1). Primary targets were concentrated in the Manufacturing, Healthcare, and Financial Services sectors, with the United States remaining the most frequently impacted geography.

Ransomware Summary Table

The summary table illustrates varied ransomware activity, with no single group overwhelmingly dominant in victim count. Akira, Akira ransomware TTP analysis, DragonForce, and INC Ransom each claimed two victims, primarily affecting manufacturing and technology sectors across the United States, Singapore, Lebanon, and Mexico. Groups such as Genesis Group ransomware, Anubis, and The Gentelman continued targeting healthcare and financial services, predominantly in the United States. DragonForce ransomware activity further extended its reach to include financial and manufacturing entities.

Victim Distribution

By Country

• United States: 8
• Singapore: 2
• Brazil: 1
• Canada: 1
• Lebanon: 1
• Mexico: 1

By Industry

• Financial Services: 3
• Healthcare: 2
• Food Service: 1
• Information Technology: 1
• Paper and Forest Product Manufacturing: 1
• Apparel Manufacturing: 1
• Healthcare & Social Services: 1
• Information Services: 1
• Manufacturing: 1
• Publishing: 1

The United States remains a primary target for ransomware operators, accounting for over half of the new victims. Industrially, Manufacturing and Financial Services show the highest concentration of attacks, suggesting continued emphasis on critical and potentially lucrative sectors.

Ransomware News

Topline

Multiple ransomware incidents were reported against local government entities and various organizations. The US government announced sanctions against cryptocurrency exchanges for facilitating ransomware payments.

Campaigns & Operations

Bowman, North Dakota Parks & Recreation experienced a ransomware attack leading to encrypted files, which were subsequently decrypted with expert assistance. In South Korea, Qilin ransomware targeted an automation equipment company, Nova ransomware affected a university's AI department, and Black X was observed in a data-extortion leak against a plastic surgery clinic. The National Federation of Subpostmasters (UK) also suffered a ransomware attack. Globally, the upcoming FIFA World Cup 2026 is projected to face increased threats, with high ransomware activity expected, particularly in the US and Canada. The US Treasury's OFAC sanctioned Nobitex, a major Iranian crypto exchange, for facilitating payments tied to IRGC-linked ransomware and sanctions evasion as part of the "Economic Fury" campaign, which also targeted other exchanges.

Vulnerabilities & TTPs

The ransomware attack on the National Federation of Subpostmasters stemmed from the exploitation of a critical vulnerability in the cPanel hosting control panel used by its web hosting provider. This period also shows the persistent use of dark-web channels for data leakage and extortion by various threat actors.

Analyst Note

These developments show the persistent and diversified threats posed by ransomware and its supporting financial infrastructure to a broad array of targets globally.

Technical Takeaways

• Ransomware activity remains distributed across numerous groups, with Akira, DragonForce, Genesis, and INC Ransom leading in victim counts.
• Manufacturing, Financial Services, and Healthcare continue to be highly targeted sectors, indicating a focus on critical and high-value industries.
• The United States accounts for the majority of reported new ransomware victims, showing its significant threat landscape.
• Exploitation of vulnerabilities in common infrastructure, such as cPanel hosting control panels, remains a key initial access vector for some campaigns.
• Efforts to disrupt ransomware financing continue, as evidenced by US sanctions against cryptocurrency exchanges facilitating illicit payments.

The Gentelman Ransomware Activity: 9 New Victims

Statistical Overview

Victim Totals

• This month: 85
• This quarter: 1631
• Year to date: 4256
• Last 24h: 35

Quarterly Breakdown

Q1: 2631 | Q2: 1631 | Q3: 0 | Q4: 0

Ransomware activity shows 35 new victims. The Gentelman, LockBit, and Qilin operations influenced the victim count this period.

Introduction

Recent ransomware activity shows 35 new victims, with The Gentelman as the most active operator. Other groups include LockBit, Qilin, Akira, and INC_Ransom. Affected sectors include Healthcare and Professional Services, with targeting primarily in the United States, India, and Germany.

Ransomware Summary Table

The Gentelman led activity with 9 reported victims, impacting healthcare and professional services across Germany and Guatemala. LockBit and Qilin were also active, each claiming 4 victims in sectors like retail, technology, and hospitality in Uruguay, Taiwan, and the United States. The varied sectors and geographies show how widely current ransomware campaigns operate.

Victim Distribution

By Country

• United States: 7
• India: 3
• Taiwan: 2
• Germany: 2
• Mexico: 2
• Portugal: 2
• South Korea: 1
• Spain: 1
• Thailand: 1
• The Bahamas: 1

By Industry

• Financial Services: 3
• Healthcare: 2
• Advertising & Marketing: 1
• Industrial Machinery & Equipment: 1
• Chemical Manufacturing: 1
• Industrial Distribution: 1
• Process Control and Electronics/Telecommunication: 1
• Conglomerates: 1
• Automotive and Industrial Manufacturing: 1
• None: 1

The United States is the most frequently targeted country, followed by India. This shows a continued focus on economically significant regions. Industries such as Financial Services and Healthcare face attacks, which suggests these sectors are high-value targets.

Ransomware News

Topline

Recent intelligence shows an increase in ransomware activity, including new AI-driven tools and an active global campaign from The Gentelman operator.

Campaigns & Operations

Microsoft Threat Intelligence has documented The Gentelman ransomware-as-a-service operation, attributed to the Storm-2697 syndicate. This operation infiltrates corporate assets, exfiltrates data, and expands via a self-spreading worm and a 21-vector remote-execution playbook. This occurs alongside broader ransomware trends: the global cost is projected to reach approximately $275 billion annually by 2031, and 29% of organizations pay the initial ransom demand. Municipalities like the City of Thorold have also confirmed cybersecurity incidents, showing the continued operational and financial impact on public services. The threat economy is consolidating, driven by four main groups. Identity is becoming a key perimeter, and there is an increase in living-off-the-land techniques, with APAC financial services accounting for about 22% of incidents. These events show a continued evolution of understanding ransomware attacks.

Vulnerabilities & TTPs

Sophos researchers have identified an AI-built ransomware toolkit that automates Active Directory discovery and EDR evasion, using multiple AI agents, including Claude Opus, to develop and harden payloads. The Gentelman campaign uses advanced evasion tactics, including PowerShell-driven Defender real-time monitoring disablement, local binary exclusion, and C:\\ volume scan exclusion. It also performs aggressive post-encryption cleanup of Volume Shadow Copies and logs, using a custom hybrid crypto stack (Curve25519 with XChaCha20).

Analyst Note

These developments show the increased sophistication of ransomware threats, combining advanced TTPs with AI to improve evasion and operational scale. This shows that timely threat intelligence platform insights are important.

Technical Takeaways

• The Gentelman, operated by the Storm-2697 syndicate, uses an advanced 21-vector remote execution playbook, a self-spreading worm, and a custom hybrid crypto stack for encryption.
• Active ransomware groups use advanced evasion techniques, including PowerShell-driven Defender disablement and aggressive post-encryption cleanup of logs and Volume Shadow Copies.
• AI is used in ransomware toolkit development to automate Active Directory discovery and EDR evasion, though human oversight is important for payload refinement and deployment.
• Ransomware operations are evolving towards double extortion and data exfiltration. Identity is recognized as a primary defense perimeter.
• Healthcare and Professional Services are highly targeted sectors, with a wide geographical distribution of victims. This indicates both opportunistic and strategic targeting across regions.

SafePay Ransomware Activity Targets Diverse Sectors (6 Victims)

Statistical Overview

Victim Totals

• This month: 50
• This quarter: 1596
• Year to date: 4221
• Last 24h: 23

Quarterly Breakdown

Q1: 2631 | Q2: 1596 | Q3: 0 | Q4: 0

Ransomware activity reported 23 new victims in the last 24 hours. The quarterly total of 1596 shows continued threat actor activity, with the last 24 hours having a moderate number of new victim disclosures.

Introduction

In the last 24 hours, ransomware groups disclosed 23 new victims. SafePay was the most active with six victims, followed by BlackX with four. Groups like Nova (RALord) and CoinbaseCartel were also active. Primary targets included entities in Transportation & Logistics, Professional Services, and Healthcare. Attacks concentrated in the United States and Europe, especially Germany, Italy, and France.

Ransomware Summary Table

SafePay led activity with six new victims, as reported in SafePay ransomware's operations. It primarily impacted Transportation & Logistics and Professional Services across Germany and Italy. BlackX followed with four victims, targeting entities in Healthcare and Professional Services, including the African National Congress, and showing activity in Germany and the United States. CoinbaseCartel and Krybit both focused on Transportation & Logistics and Professional Services, with victims in the United States, Guatemala, and France. Overall, 11 groups contributed to the victim count, with varied targeting strategies across multiple geographies.

Victim Distribution

By Country

• United States: 6
• Germany: 4
• Italy: 3
• France: 3
• Switzerland: 1
• South Korea: 1
• South Africa: 1
• Armenia: 1
• Guatemala: 1
• Chile: 1

By Industry

• Consumer Goods: 1
• Telecommunications Equipment Distribution: 1
• Software Development: 1
• Legal Research: 1
• Hospital & Health Care: 1
• Grocery and Foodservice Distribution: 1
• Aviation & Aerospace: 1
• Agricultural Technology and Innovation: 1
• Plastic Surgery: 1
• Political Organization: 1

The United States remains the most targeted country, followed by European nations such as Germany, Italy, and France. Industry targeting is fragmented, with Professional Services and Transportation & Logistics frequently appearing among impacted sectors. This suggests broad, opportunistic targeting by multiple ransomware groups.

Ransomware News

Topline - Recent threat intelligence shows evolving ransomware tradecraft, exemplified by a new variant, and demonstrates the importance of strong incident response methods.

Campaigns & Operations - Analysis of the EndPoint ransomware, a Midnight-era variant built on the Babuk framework, shows it targets Windows, ESXi, and NAS environments. This ransomware uses a double-extortion model, encrypting data with ChaCha20 and an in-house RSA operation for session key protection. EndPoint specifically targets folders, network shares, and file extensions, while terminating key processes and deleting volume shadow copies. This shows a focused approach to data encryption and system disruption.

Vulnerabilities & TTPs - EndPoint ransomware's methods include terminating critical backup and security services such as VSS, SQL, Veeam, and Sophos, along with deleting volume shadow copies via vssadmin. To counter these tactics, effective incident response techniques focus on fast, data-driven detection using tools like EDR, SIEM, SOAR, and XDR. They also use network segmentation and isolation to contain threats and prevent lateral movement.

Analyst Note - These developments show organizations continually need to understand emerging ransomware variants and maintain agile, complete incident response frameworks to mitigate their impact.

Technical Takeaways

• SafePay is the most active group, accounting for 6 of the 23 new victims. It primarily targets Transportation & Logistics and Professional Services.
• BlackX targets diverse sectors, including Healthcare, Professional Services, and a political organization.
• Multiple ransomware groups, including CoinbaseCartel, Krybit, and Nova (RALord), show varied targeting across sectors such as Transportation & Logistics, Professional Services, and Manufacturing.
• Geographically, the United States, Germany, Italy, and France are the most frequently impacted regions.
• The newly analyzed EndPoint ransomware variant uses the Babuk framework to target Windows, ESXi, and NAS environments. It uses ChaCha20/RSA encryption and aggressive tactics such as vssadmin for shadow copy deletion and service termination.

The Gentelman Ransomware Claims 14 Healthcare, Retail Victims

Statistical Overview

Victim Totals

• This month: 27
• This quarter: 1573
• Year to date: 4198
• Last 24h: 29

Quarterly Breakdown

Q1: 2631 | Q2: 1573 | Q3: 0 | Q4: 0

Ransomware activity maintains a consistent volume, with 29 new victims reported in the last 24 hours. Quarterly data indicates substantial impact across global organizations, accumulating 1573 victims in Q2.

Introduction

In the last 24 hours, ransomware operators claimed 29 new victims across various sectors and geographies. The Gentelman group was active, accounting for 14 of these new compromises. Other groups included DragonForce, Abyss, INC Ransom, and Lapsus. Primary affected sectors observed include Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector, with attacks concentrated in North America, including the United States and Canada.

Ransomware Summary Table

Ransomware activity remains active, largely driven by The Gentelman, which claimed 14 victims, predominantly in Healthcare and Retail & Ecommerce across Hong Kong and Canada. Other groups such as DragonForce and Abyss also contributed to the victim count, targeting sectors like Professional Services and Government / Public Sector. INC Ransom impacted the Champaign-Urbana Public Health District in the United States. This shows the ongoing threat to critical public services. The geographic distribution shows a continued focus on North America, alongside incidents in Europe, South America, and Asia. Further insights into the activity of The Gentelman ransomware group are available in our dedicated analysis.

Victim Distribution

By Country

• United States: 11
• Canada: 4
• India: 2
• Brazil: 2
• Spain: 1
• Thailand: 1
• Switzerland: 1
• Sri Lanka: 1
• Saudi Arabia: 1
• Portugal: 1

By Industry

• Legal Services: 2
• Automotive Manufacturing: 2
• Telecommunications: 2
• Insurance: 1
• Water Utility: 1
• School Facility Planning and Consulting: 1
• Public Health: 1
• Law Practice: 1
• Industrial Textile Manufacturing: 1
• Healthcare: 1

The United States continues to be the primary target region, accounting for 11 out of 29 new victims, followed by Canada. Industry targeting is diverse. Legal Services and Automotive Manufacturing each saw multiple incidents, with Telecommunications also experiencing two, reflecting a broad opportunistic approach by ransomware groups.

Ransomware News

Topline

VSP Solutions, an Australian video security distributor, is responding to a cyber security incident claimed by the Stormous ransomware-as-a-service group.

Campaigns & Operations

Stormous has reportedly exfiltrated and published over 40 GB of data from VSP Solutions, encompassing financial backups (QuickBooks & Reckon), email archives, staff personal folders, and customer databases. The company has engaged forensic experts, notified law enforcement and Australian government agencies, and is investigating the incident's scope. Stormous, known for its double-extortion tactics and data publication, continues to use compromised access against technology and business services globally.

Vulnerabilities & TTPs

The specific initial access vector for the VSP Solutions breach was not detailed. However, Stormous's operational methods consistently involve data exfiltration followed by publication if demands are unmet, employing double-extortion as a core tactic.

Analyst Note

This incident shows the persistent threat posed by established ransomware-as-a-service groups like Stormous, which continue to successfully compromise and extort organizations through data theft and publication.

Technical Takeaways

• The Gentelman emerged as the most active ransomware group, responsible for nearly half of the new victims observed.
• Targeting remains globally diverse but shows a concentration in North America, with the United States and Canada experiencing a large volume of attacks.
• Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector are among the top-affected sectors, indicating continued opportunistic targeting across various industries.
• Ransomware-as-a-service (RaaS) groups, exemplified by Stormous, continue to use double-extortion tactics involving data theft and publication to pressure victims.
• Critical infrastructure entities, such as public health districts, remain vulnerable to compromise by groups like INC Ransom.

Genesis Group Leads Ransomware Activity with 5 Victims

Statistical Overview

Victim Totals

• This month: 767
• This quarter: 1544
• Year to date: 4169
• Last 24h: 7

Quarterly Breakdown

Q1: 2631 | Q2: 1544 | Q3: 0 | Q4: 0

Ransomware activity totaled 7 new victims in the last 24 hours. The Genesis group accounted for most incidents during this period.

Introduction

In the last 24 hours, seven new ransomware victims were reported across various sectors and geographies. The Genesis group was the most active, responsible for five incidents, while CMD and Krybit each claimed one victim. Affected sectors include Construction & Engineering, Retail & Ecommerce, Education, Healthcare, Investment Banking, Lubricants, and Residential Remodeling, primarily impacting organizations in the United States.

Ransomware Summary Table

The Genesis group was responsible for five recent ransomware victims, primarily in the United States, targeting industries such as construction, retail, and investment banking. CMD ransomware affected the Education sector, attacking Lake Washington School District. Krybit claimed one victim in the Healthcare sector in India.

Victim Distribution

By Country

• United States: 6
• India: 1

By Industry

• Home Improvement & Hardware Retail: 2
• Healthcare: 1
• Education: 1
• Investment Banking: 1
• Lubricants: 1
• Residential Remodeling: 1

The United States experienced the most ransomware attacks, accounting for most new victims. Targeting showed a broad approach across various industries, including retail, construction, education, and healthcare, without concentrating on a single vertical.

Ransomware News

Topline

Threat intelligence indicates a rising risk to critical infrastructure, with a shift from cyber espionage to physical disruption.

Campaigns & Operations

Attackers are increasingly exploiting internet-exposed industrial systems, default passwords, and outdated configurations, with small utilities and local municipalities facing disproportionate risk. Historical instances include destructive wiper attacks, post-breach cleanups, Iranian-affiliated PLC exploitation, and telecom intrusions. The United States experiences a 62% higher cyber-attack frequency compared to the global average.

Vulnerabilities & TTPs

Exploitation uses weaknesses like default passwords and unpatched systems. Artificial intelligence is integrated into intrusion lifecycles, handling 80-90% of operational tasks in some campaigns, which improves attack automation and efficiency.

Analyst Note

This trend shows a rising frequency of sophisticated attacks with real-world consequences. It requires strong OT/ICS security measures and coordinated defense strategies.

Technical Takeaways

• The Genesis group accounted for the majority of new ransomware incidents, with five victims in the last 24 hours.
• Organizations in the United States were overwhelmingly targeted, comprising six out of seven reported victims.
• Ransomware groups show broad targeting across diverse industries, including construction, retail, education, and healthcare.
• Critical infrastructure and industrial control systems face escalating threats, with attackers increasingly focused on physical disruption rather than just data exfiltration.
• Artificial intelligence is used to automate a significant portion of intrusion lifecycles, showing a change in threat actor methods.
• The continued targeting of organizations in the investment banking sector indicates ongoing financial sector risks.

Genesis Group Tactics and Target Profile

The Genesis ransomware group has demonstrated a consistent pattern of targeting small-to-mid-sized US businesses across diverse industries. Their recent activity highlights several concerning trends:

• Sector diversity: Targets span construction, retail, investment banking, and residential services
• Geographic focus: Predominantly United States-based victims
• Volume consistency: Five victims in a single 24-hour window indicates an active and organized operation
• Business size: Targets appear to include both regional firms and larger corporate entities

Organizations in these sectors should review their ransomware readiness immediately. See also: Ransomware Group Profiles for detailed threat actor analysis.

How Organizations Can Defend Against Genesis Group Attacks

Defending against groups like Genesis requires a layered security approach. Security teams should prioritize the following actions:

• Patch management: Ensure all internet-facing systems are updated to close known vulnerabilities
• Endpoint detection: Deploy EDR solutions capable of identifying ransomware behavior before encryption begins
• Backup integrity: Maintain offline, immutable backups tested regularly for restoration
• Employee training: Phishing remains a primary initial access vector for ransomware operators
• Incident response planning: Establish documented playbooks for ransomware scenarios

Proactive defense reduces dwell time and limits the blast radius of any successful intrusion. Related reading: Ransomware Incident Response Guide.

Recent Ransomware Trends Across Active Groups

Beyond Genesis, the broader ransomware landscape remains highly active. CMD's targeting of the Lake Washington School District reflects a troubling continuation of attacks on educational institutions, which often lack mature security programs. Krybit's victim in India's healthcare sector underscores that ransomware is a global threat with no industry immune.

• Education: Frequently targeted due to limited IT budgets and large user bases
• Healthcare: High-value data and operational urgency make hospitals prime targets
• Emerging groups: Smaller operators like CMD and Krybit are filling gaps left by disrupted major gangs

Monitor the latest ransomware activity feed for real-time updates on emerging group behavior.

Nova RALord Ransomware Activity Targets 3 Victims

Statistical Overview

Victim Totals

• This month: 760
• This quarter: 1538
• Year to date: 4163
• Last 24h: 16

Quarterly Breakdown

Q1: 2631 | Q2: 1538 | Q3: 0 | Q4: 0

Ransomware activity continues to show high volume this quarter, though the last 24-hour period indicates a lower-volume but diverse set of attacks. Nova (RALord) was the most active group in this timeframe, followed by DragonForce and Lapsus.

Introduction

The past 24 hours saw 16 new ransomware victims reported across varied sectors and geographies. Nova (RALord) emerged as the most active group, followed by DragonForce and Lapsus. Attackers showed broad targeting, impacting industries from automotive and education to manufacturing and technology.

Ransomware Summary Table

Nova (RALord) led the activity with three victims, targeting entities like Daegu University in South Korea and an automotive service provider in the United States. DragonForce, a ransomware group, added two new victims including a manufacturing company and a hospitality business. Lapsus, which has carried out high-profile breaches, claimed two new victims, targeting Github internal and Ingka group (ikea), impacting technology and retail sectors. The CMD ransomware group also reported activity, targeting legal services. Further insights into DragonForce's operations can be found in our deep dive on DragonForce ransomware's real estate and healthcare targeting, and information on the CMD ransomware group is available in our CMD ransomware healthcare and nonprofit blog post. The victim pool showed high diversity across sectors and geographies. The United States experienced the highest concentration of attacks.

Victim Distribution

By Country

• United States: 10
• South Korea: 2
• Brazil: 1
• France: 1
• Italy: 1
• Netherlands: 1

By Industry

• Software Development: 2
• Government: 1
• Education: 1
• Retail: 1
• Entertainment: 1
• Higher Education: 1
• Heavy-Duty Truck Customization and Repair: 1
• Hospitality: 1
• Legal Services: 1
• Medical Laboratory Services: 1

The United States remains the primary target geography for ransomware operations, accounting for over half of all reported victims in this period. Industry targeting remains fragmented, with no single sector experiencing a concentrated surge. This suggests opportunistic or broadly distributed campaigns rather than specialized attacks.

Ransomware News

Topline - An in-depth review of a city's recovery from an Interlock ransomware attack shows the critical role of pre-existing incident response plans and effective recovery strategies.

Campaigns & Operations - St. Paul, Minnesota, successfully recovered from an Interlock ransomware attack that occurred in July 2025 without paying the ransom. The city's response involved a cross-agency effort, including emergency management, state IT, federal investigators, private cybersecurity partners, and the Minnesota National Guard, all guided by a solid incident response plan and nightly backups.

Vulnerabilities & TTPs - The recovery prioritized essential services like 911 and payroll, with full restoration by the third week of August. A full "Operation Secure St. Paul" initiative involved a large-scale password reset for over 3,000 employees, enforcement of multi-factor authentication (MFA), device checks, and enhanced endpoint detection. National Guard FirstNet connectivity provided support for these efforts.

Analyst Note - This incident shows proactive preparedness, including strong incident response frameworks and complete backup regimes, helps mitigate ransomware impact and avoid ransom payments.

Technical Takeaways

• Nova (RALord) was the most active ransomware group in the past 24 hours, observed with three new victims.
• Ransomware activity remains globally distributed, with new victims reported across North America, Asia, and Europe.
• The United States represents the main target geography, accounting for 10 of the 16 reported victims.
• Industry targeting is diverse, with no single sector experiencing significant concentration of attacks.
• Organizations including Github internal and Ingka group (ikea) were impacted by the Lapsus ransomware group.

25 New Ransomware Victims as Com Ecosystem Expands

Statistical Overview

Victim Totals

• This month: 744
• This quarter: 1522
• Year to date: 4147
• Last 24h: 25

Quarterly Breakdown

Q1: 2631 | Q2: 1522 | Q3: 0 | Q4: 0

Ransomware activity maintains a consistent pace and contributes to the overall victim count this quarter, with many new compromises reported.

Introduction

The past period saw 25 new ransomware victims, showing persistent activity across diverse sectors and geographies. The_Gentelman emerged as the most active group, accounting for four of these incidents. Primary target sectors included Legal Services and Healthcare, while the United States remained the most frequently impacted country.

Ransomware Summary Table

The_Gentelman was the most prolific group, claiming four victims across manufacturing and agriculture. Groups such as Akira, Chaos, CMD, and Everest each reported two new compromises. These targeted a mix of professional services, construction, healthcare, and government entities. CMD ransomware continued its targeting of the healthcare sector. Everest's compromise of Asopagos s.a. in Colombia indicates ongoing risk to the Government/Public Sector.

Victim Distribution

By Country

• United States: 14
• Venezuela: 1
• Colombia: 1
• United Kingdom: 1
• Switzerland: 1
• Sri Lanka: 1
• Saudi Arabia: 1
• Mexico: 1
• Malaysia: 1
• Italy: 1

By Industry

• Legal Services: 3
• Healthcare: 2
• Retail: 2
• Business Services & Supplies: 1
• Wholesale Greenhouse: 1
• Transportation Equipment Manufacturing: 1
• Precious Metals Refining: 1
• Medical Equipment Manufacturing: 1
• Facilities Services: 1
• Education: 1

The United States remains the primary target country for ransomware, representing over half of the reported victims. Targeting is diverse, but Legal Services and Healthcare sectors show a significant concentration, demonstrating persistent threats to professional and essential services.

Ransomware News

Topline

The period shows complex criminal ecosystems are emerging alongside persistent ransomware and extortion campaigns, influencing cyber insurance market dynamics.

Campaigns & Operations

Flashpoint's analysis details "The Com," a diffuse neo-Nazi criminal ecosystem. Its "Hacker Com" wing is involved in breaches, DDoS attacks, and ransomware activity, recruits from gaming communities, and targets cloud and SaaS platforms. Separately, Qilin ransomware confirmed a cyber incident at Kennedy McLaughlin & Associates, an accounting firm, and DragonForce allegedly breached QLS Group, a Victorian retail logistics firm. ShinyHunters conducted a voice-phishing attack against Charter Communications, compromising an employee's Microsoft Entra identity and accessing a Salesforce instance, affecting 4.9 million accounts. A ransomware-style cyberattack also impacted Portraitbox GmbH, a German IT service provider for school photographers.

Vulnerabilities & TTPs

Threat actors are using sophisticated social engineering tactics, such as the voice-phishing attack ShinyHunters used to gain initial access via a compromised Microsoft Entra identity for Salesforce. The Com ecosystem targets critical cloud and SaaS platforms, including Okta, Salesforce, and Microsoft 365, showing a focus on widely adopted enterprise solutions.

Analyst Note

These incidents show threat actors are becoming more sophisticated, and strong defense is needed against social engineering and supply chain compromises.

Technical Takeaways

• The_Gentelman is the most active group, claiming four new victims across manufacturing and agriculture.
• The United States is the primary target country, accounting for 14 of the 25 reported ransomware victims.
• Legal Services and Healthcare are consistently targeted by various ransomware groups, along with Manufacturing.
• Extortion campaigns continue to use social engineering techniques, specifically voice-phishing, to compromise cloud and SaaS platforms.
• New threat ecosystems, such as "The Com," are emerging, integrating ransomware with broader criminal activities like child exploitation and physical intimidation.

Everest Ransomware Targets Healthcare, Utilities (7 Victims)

Statistical Overview

Victim Totals

• This month: 720
• This quarter: 1498
• Year to date: 4123
• Last 24h: 31

Quarterly Breakdown

Q1: 2631 | Q2: 1498 | Q3: 0 | Q4: 0

Ransomware activity shows a significant count for Q1, with Q2 maintaining consistent but lower activity. This indicates persistent threat actor operations across diverse sectors. The current period's observed victim count of 31 reflects ongoing, targeted ransomware campaigns.

Introduction

Recent ransomware activity saw 31 new victims across various sectors. Groups like Everest (7 victims), Qilin (5 victims), Akira (4 victims), and DragonForce (4 victims) were primary drivers. The United States remains the most targeted country. Industries such as healthcare, manufacturing, construction, hospitality, and legal services were affected. This period shows diverse threats with varied TTPs and an ongoing shift towards data exfiltration-focused extortion.

Ransomware Summary Table

Everest was the most active group, targeting healthcare and energy sectors, including "Advanced psychiatry associates" and "L&p aesthetics." Qilin and Akira also showed significant activity across construction, hospitality, and manufacturing. Victims included "Hospice Savannah" by CMD ransomware, which shows continued threats to the healthcare sector, and "Mairie thiverval grignon demo" by Medusa Locker, impacting a government entity. For more details on DragonForce's activities in real estate and healthcare, refer to our analysis on DragonForce Ransomware Targeting.

Victim Distribution

By Country

• United States: 11
• Germany: 3
• Canada: 3
• Spain: 2
• United Kingdom: 2
• Italy: 2
• Thailand: 1
• Australia: 1
• Netherlands: 1
• Kuwait: 1

By Industry

• Medical Practices: 2
• Real Estate: 2
• Manufacturing: 2
• Hospitality: 2
• Construction: 2
• Legal Services: 2
• Education: 1
• Venture Capital and Private Equity: 1
• Packaging and Containers Manufacturing: 1
• Oil and Gas Data Analytics: 1

The United States continues to see the most ransomware attacks, with broad distribution across several industries; none significantly dominate. This suggests less concentrated sector-specific campaigns and more opportunistic or diverse targeting by various ransomware operators, consistent with previous observations of groups like Qilin and DragonForce, as shown in our recent ransomware victim updates.

Ransomware News

Topline

The current period shows changes in cyber extortion, with a continued shift from data encryption to pure data exfiltration and diverse, sophisticated attack methods.

Campaigns & Operations

Silent Ransom Group operatives are increasingly engaging in in-person cyber extortion, physically appearing at victim offices to facilitate intrusions, often targeting law firms. The ShinyHunters gang, also known as Bling Libra, confirmed a social-engineering data breach affecting nearly 6 million Carnival Cruise customers, exfiltrating PII. Latin American cybercriminal groups are aggressively shifting towards exfiltrating government databases, with incidents like La Pampa Leaks affecting Uruguay's identity service and Chronus Group targeting Mexican government agencies. A ransomware incident at Wohnungsgenossenschaft Neukölln in Germany encrypted core property-management and financial systems, disrupting tenant services.

Vulnerabilities & TTPs

An analysis of Akira ransomware kill chains reveals initial access via brute-forcing forgotten local SSLVPN accounts lacking MFA. This is followed by lateral movement via RDP, credential access, and defense evasion, including security log clearance and shadow copy deletion. The broader cyber extortion economy shows a pivot, with extortion-only campaigns rising as threat actors use SaaS abuse, supply-chain compromises, and rapid data exfiltration, frequently bypassing traditional encryption methods. The FBI also warns about physical intrusion tactics by Silent Ransom Group, using methods like USB insertion or pressuring staff for remote sessions, often exfiltrating data via legitimate utilities like WinSCP or Rclone without encryption.

Analyst Note

These developments show the increasing sophistication and diversification of threat actor methods, from physical intrusions to advanced data exfiltration. This requires defensive strategies across both digital and physical security domains.

Technical Takeaways

• Implement Phishing-Resistant MFA: Crucial for all remote access points (e.g., SSLVPN) and administrator accounts to mitigate brute-force and credential stuffing attacks.
• Enhance Data Exfiltration Detection: Deploy end-to-end Data Loss Prevention (DLP) across cloud, endpoint, and network environments to detect rapid data theft, especially given the pivot from encryption.
• Strengthen Network Segmentation and Backup Integrity: Rigorous network segmentation limits lateral movement, while immutable offline backups ensure recovery capabilities even if primary systems are compromised.
• Correlate Perimeter and Endpoint Logs: Integrate and analyze logs from firewalls (e.g., SSLVPN syslog) and endpoint events (e.g., Windows EVTX) with synchronized NTP to reconstruct full kill chains and identify anomalous activity.
• Prepare for Physical Intrusion Vectors: Develop and rehearse incident response plans that account for in-person social engineering tactics, including policies for unidentified individuals and unauthorized device connections.

DragonForce Ransomware 19 Real Estate Healthcare Victims

Statistical Overview

Victim Totals

• This month: 689
• This quarter: 1467
• Year to date: 4092
• Last 24h: 36

Quarterly Breakdown

Q1: 2631 | Q2: 1467 | Q3: 0 | Q4: 0

Ransomware activity shows consistent levels this quarter, with DragonForce being a contributor in this period. The sustained victim count shows threat actors continue operating across diverse sectors.

Introduction

In the last 24 hours, 36 new ransomware victims have been reported. DragonForce was the most active group, accounting for over half of these incidents, followed by 0day-syndicate. Primary affected sectors include Real Estate, Healthcare, and Technology, with a significant concentration of incidents observed in the United States and the Netherlands.

Ransomware Summary Table

DragonForce was the most active in ransomware activity during this period, claiming 19 victims primarily in the Real Estate and Healthcare sectors across the United States and Netherlands. Other active groups, including 0day-syndicate, Medusa Locker, and Akira, contributed to a diverse range of victims spanning Technology, Professional Services, and Manufacturing. INC Ransom targeted Distrigaz Vest S.A. in Romania, showing a continued threat to critical infrastructure within the Energy & Utilities sector. For more on DragonForce's operations and targeting profiles, see our recent analysis.

Victim Distribution

By Country

• United States: 13
• United Kingdom: 4
• Netherlands: 3
• None: 3
• Mexico: 2
• Canada: 2
• Spain: 1
• Romania: 1
• Brazil: 1
• Germany: 1

By Industry

• Legal Services: 2
• Construction: 2
• Accounting: 1
• Natural Gas Distribution: 1
• Manufacturing: 1
• Oil and Gas: 1
• Staffing and Recruiting: 1
• Telecommunications and Traffic Management: 1
• Architectural Services: 1
• Architecture and Planning: 1

The United States remains the most targeted country, followed by the United Kingdom and the Netherlands. Industry targeting is diversified, with significant activity across professional services like Legal and Accounting, as well as critical sectors such as Natural Gas Distribution and Oil and Gas. More information on ransomware group activity, including Medusa Locker and Akira, is in recent threat intelligence updates.

Ransomware News

Topline

Ransomware developments include warnings of in-person data theft tactics by the Silent Ransom Group, reported ransomware incidents affecting municipalities, a Qilin group victim claim, and new cryptojacking campaigns using AI chatbots.

Campaigns & Operations

The FBI issued a warning regarding the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, for an extortion scheme targeting U.S. law firms. This scheme combines social engineering tactics, such as posing as IT support for remote access, with a fallback of actors physically inserting USB drives to exfiltrate data. Incidents include a ransomware attack on Casalp's Livorno operations in Italy on May 11, 2026, and a partial compromise of Nandrin Municipality's IT infrastructure in Belgium around March 15, 2026. The Qilin ransomware group also named New Zealand's Alpha Group Holdings as a victim, providing limited incident details. Analysis of the wider ransomware field and quarterly trends is in our recent activity updates.

Vulnerabilities & TTPs

SRG's tactics involve impersonating IT personnel via phone, email, or live chat to gain initial access, then escalating privileges to deploy ransomware or exfiltrate data for double extortion, often blending with legitimate IT workflows. Separately, an active cryptojacking campaign is using AI chatbot interactions and SEO poisoning to redirect users to attacker-controlled download sites, delivering a rogue DLL via a packed ScreenConnect installer to establish persistence and run miners while bypassing Microsoft Defender.

Analyst Note

These events show the threat environment is changing, marked by sophisticated social engineering, persistent infrastructure targeting, and the exploitation of emerging technologies and search vectors for malicious purposes.

Technical Takeaways

• DragonForce led reported ransomware activity this period, affecting mainly Real Estate and Healthcare sectors.
• The United States remains the most frequent target country, with a broad distribution of victim industries.
• The Silent Ransom Group (SRG) uses a varied extortion approach, blending social engineering with potential physical access to victim networks for data exfiltration.
• Emerging attack vectors include cryptojacking campaigns that manipulate AI chatbot recommendations and search engine optimization to distribute malware.
• Critical infrastructure entities, such as Distrigaz Vest S.A., continue to be targeted by ransomware groups like INC Ransom.

DragonForce Leads Financial, Insurance Ransomware

Statistical Overview

Victim Totals

• This month: 620
• This quarter: 1398
• Year to date: 4023
• Last 24h: 35

Quarterly Breakdown

Q1: 2631 | Q2: 1398 | Q3: 0 | Q4: 0

Ransomware activity continues this quarter, with 35 new victims reported in the last 24 hours. DragonForce, Qilin, and NightSpire operations drive this period's activity, alongside disruptions to key ransomware infrastructure.

Introduction

The past 24 hours saw 35 new ransomware victims, with DragonForce, Qilin, and NightSpire as the most active groups. Targeting focused on the United States and Germany, impacting Financial Services, Insurance, and Healthcare. Law enforcement and industry efforts to dismantle ransomware infrastructure also occurred during this period.

Ransomware Summary Table

DragonForce was the most active group this period, claiming 12 victims mainly in Financial Services and Insurance across the United States and Germany. Qilin and NightSpire followed, impacting 13 organizations, especially within the Healthcare sector. Nova (RALord) targeted government entities in Brazil and Turkey, which shows ongoing risks to public sector organizations. For more insights on these groups, refer to our ransomware victims update.

Victim Distribution

By Country

• United States: 17
• Germany: 4
• Spain: 2
• Egypt: 2
• United Arab Emirates: 1
• Turkey: 1
• Australia: 1
• Singapore: 1
• Russia: 1
• New Zealand: 1

By Industry

• Insurance: 2
• Financial Services: 2
• Food and Beverage Manufacturing: 1
• Professional Training and Coaching: 1
• Accounting: 1
• Book and Periodical Publishing: 1
• Construction: 1
• Education & Training Services: 1
• Electric Lighting Equipment Manufacturing: 1
• Engineering and Design Services: 1

Ransomware targeting remains concentrated in the United States, accounting for nearly half of all new victims. While various industries were affected, Financial Services, Insurance, and Healthcare (seen with Qilin and NightSpire) show consistent targeting because these sectors have valuable data and operational sensitivities.

Ransomware News

Topline - Law enforcement and industry efforts disrupted key infrastructure supporting global ransomware operations. Various groups continue to claim new victims across diverse sectors.

Campaigns & Operations - Recent incidents include a March 3, 2023, ransomware attack on MSWiA Specialist Hospital in Złocieniec, Poland. This attack impacted an archival patient database. In Japan, Ficha Inc. reported a ransomware infection around May 25, 2026, leading to 13 server compromises and external copying of 144 GitHub repositories. Candeal Co., Ltd. experienced a March 11, 2026 incident where data moved towards attacker-controlled OneDrive, potentially affecting over 40,000 personal records. NOVA ransomware-as-a-service claimed a May 16, 2026 attack on the University of Valencia, exfiltrating 300 GB, though the university asserted only an obsolete research server was accessed. The Brain Cipher ransomware group alleged a hack of Australian newspaper The Adviser, claiming 350+ GB of exfiltrated data and using a LockBit variant.

Vulnerabilities & TTPs - Brain Cipher has been linked to exploiting CVE-2023-28252 for privilege escalation. Dutch authorities recently dismantled a bulletproof hosting network, which enabled ransomware, phishing, and malware campaigns, by arresting two suspects and seizing infrastructure. In a separate disruption, Microsoft's Digital Crimes Unit, in collaboration with Resecurity, shut down "Fox Tempest," a malware-signing-as-a-service operation that abused Microsoft Artifact Signing to generate short-lived certificates. This allowed actors to impersonate trusted tools and bypass endpoint defenses, disrupting a global ransomware supply chain affecting healthcare, education, and finance.

Analyst Note - The combination of sustained targeting by active groups like Qilin, as detailed in our threat activity report, alongside critical infrastructure disruptions, shows the dynamic and evolving nature of the ransomware threat.

Technical Takeaways

• DragonForce targets the Financial Services and Insurance sectors, predominantly in the United States and Germany.
• Healthcare organizations remain a key target, with Qilin and NightSpire compromising entities in this sector.
• Observed attack methods include using file transfer tools for data exfiltration and attacker-controlled cloud storage like OneDrive.
• Law enforcement and industry collaborations disrupt core ransomware infrastructure, including bulletproof hosting services and malware code-signing networks (e.g., Fox Tempest).
• Specific vulnerabilities, such as CVE-2023-28252, are exploited by groups like Brain Cipher for privilege escalation within victim networks.
• Double extortion tactics, including data exfiltration and public leak threats, continue as a standard procedure for multiple ransomware groups like Nova and Brain Cipher.

The Gentelman Ransomware Adds 9 Healthcare, Retail Victims

Statistical Overview

Victim Totals

• This month: 585
• This quarter: 1363
• Year to date: 3988
• Last 24h: 16

Quarterly Breakdown

Q1: 2631 | Q2: 1363 | Q3: 0 | Q4: 0

Ransomware activity remains consistent, with 16 new victims reported in the last 24 hours. The second quarter continues to show high activity, driven by operations from groups like The_Gentelman.

Introduction

Sixteen new ransomware victims were reported across various sectors and geographies. The Gentelman accounts for nine of these, DragonForce for three, and Bravox for two. Targeted sectors include Healthcare, Retail & Ecommerce, and Construction. Geographies affected span North America, Europe, and Asia. For more on recent threat activity, see our latest ransomware activity reports.

Ransomware Summary Table

The_Gentelman was the most active ransomware operator in the last 24 hours. It accounted for nine of the 16 reported victims, primarily impacting organizations in the United States and Japan within the Healthcare and Retail & Ecommerce sectors. DragonForce targeted three entities in the Construction & Engineering and Agriculture & Food sectors in the United States and Canada; see our ransomware victims updates for more on this group's activities. Bravox registered two victims, including a nonprofit and an energy utility, in Turkey and Canada. One victim was the Salvation Army.

Victim Distribution

By Country

• United States: 3
• Canada: 2
• Turkey: 2
• Argentina: 1
• Australia: 1
• Austria: 1
• France: 1
• Ireland: 1
• Japan: 1
• Poland: 1

By Industry

• Healthcare: 1
• Wholesale: 1
• IT Services and IT Consulting: 1
• Construction: 1
• Non-Governmental Social Services: 1
• Municipal Government: 1
• Telecommunications: 1
• Glass Packaging Manufacturing: 1
• Engineering and Manufacturing: 1
• Furniture Manufacturing: 1

Ransomware victims are geographically widespread, and no single country or industry overwhelmingly dominates current attack patterns. This suggests some ransomware groups use opportunistic or broad targeting strategies, though others show sector preferences.

Ransomware News

Topline - Recent ransomware developments involve targeted intrusions, persistent sophisticated botnet operations, and defensive actions that stopped attempted attacks.

Campaigns & Operations - Matsuzawa Shoten in Japan experienced a ransomware intrusion that crippled its order-management system. This required a server switchover and a staged return to ordering via email or fax, with ongoing recovery for EDI channels and specific platforms. The Scottsboro Police Department in Alabama quickly detected and shut down an attempted cybersecurity attack on its servers. This prevented data encryption or exfiltration and maintained public services.

Vulnerabilities & TTPs - FortiGuard Labs discovered persistent P2Pinfect botnet activity within Google Kubernetes Engine (GKE) clusters, exploiting exposed Redis instances and unauthenticated management interfaces over a six-month timeline. This Rust-based client operates behind a decentralized peer-to-peer mesh, renting access keys for ransomware or crypto miners, and continually expands its initial-access toolkit to include flaws like the Metro4Shell vulnerability in React Native servers and potential RediShell sandbox escapes.

Analyst Note - These events show diverse threats, from direct ransomware deployment to the use of sophisticated botnets for initial access. This demonstrates the important need for rapid incident response and strong network hardening.

Technical Takeaways

• The_Gentelman is an active ransomware group, impacting multiple sectors including Healthcare and Retail & Ecommerce.
• Ransomware activity shows broad geographic targeting across North America, Europe, and Asia.
• The P2Pinfect botnet uses a decentralized, Rust-based client for persistence in cloud environments and offers "botnet-for-hire" services, indicating new ransomware initial access methods.
• Exploiting exposed Redis instances and unauthenticated management interfaces remains an important initial access vector for sophisticated threats.
• Effective incident response, as demonstrated by the Scottsboro Police Department, can reduce the impact of ransomware attempts by rapidly isolating affected systems.

Why Healthcare and Retail Are Prime Ransomware Targets

Healthcare and retail organizations remain among the most frequently attacked sectors due to their reliance on legacy systems, large volumes of sensitive customer and patient data, and pressure to maintain uptime at all costs. Ransomware groups like The_Gentelman exploit these vulnerabilities deliberately.

• Healthcare: Electronic health records and billing systems create high-value data leverage
• Retail & Ecommerce: Payment data and supply chain dependencies increase attack surface
• Operational pressure: Both sectors often pay ransoms quickly to restore services
• Understaffed security teams: Smaller regional operators lack dedicated incident response

See also: Ransomware Impact on Critical Infrastructure

Understanding The_Gentelman Threat Group

The_Gentelman is an emerging ransomware operation demonstrating a focused targeting strategy across international geographies including the United States and Japan. With nine victims claimed in a single 24-hour reporting window, this group signals rapid operational tempo.

• Targets span multiple continents, suggesting automated or affiliate-driven campaigns
• Victim profiles include mid-market companies with limited security maturity
• The group's naming conventions suggest deliberate branding for notoriety
• Activity aligns with broader Q2 ransomware surge trends

Related reading: Tracking Emerging Ransomware Groups

How Organizations Can Reduce Ransomware Exposure

Defending against groups like The_Gentelman requires proactive measures beyond standard endpoint protection. Organizations in high-risk sectors should prioritize layered defenses.

• Regular offline backups: Ensure recovery without paying ransom demands
• Network segmentation: Limit lateral movement following initial compromise
• Threat intelligence feeds: Monitor dark web leak sites for early victim disclosures
• Incident response planning: Pre-established playbooks reduce response time significantly
• Employee phishing training: Many ransomware intrusions begin with credential theft

For current threat actor tracking: Latest Ransomware Threat Activity

Law Enforcement Disrupts Ransomware 33 Servers Seized

Statistical Overview

Victim Totals

• This month: 570
• This quarter: 1348
• Year to date: 3973
• Last 24h: 11

Quarterly Breakdown

Q1: 2631 | Q2: 1348 | Q3: 0 | Q4: 0

Ransomware activity shows a consistent year-to-date accumulation of victims. Current quarterly numbers indicate a high volume, though Q2 activity tracks lower than Q1's peak.

Introduction

Ransomware activity saw 11 new victims reported in the last 24 hours. Activity is diversified across several groups, with Nova (RALord) and SLSH being the most active. Affected sectors are broad, encompassing manufacturing, healthcare, and government, while targeting spanned multiple geographies, including the United States, Spain, and Turkey. For further context on ongoing threat activity, refer to our latest ransomware threat activity report. For a broader view of trends, consult our recent update on ransomware groups and Q2 trends.

Which Ransomware Groups Are Currently Most Active?

Nova (RALord) and SLSH were the most active groups, each claiming three victims, predominantly in the United States. Krybit targeted two entities, including Bangkok.go.th, a government sector victim in Thailand, alongside a transportation and logistics firm in Argentina. Overall, activity remains fragmented across groups, showing no single operator's dominance in this period.

How Are Ransomware Victims Geographically and Industrially Distributed?

By Country

• United States: 4
• Spain: 2
• Turkey: 2
• Argentina: 1
• Thailand: 1
• Vietnam: 1

By Industry

• Transportation and Logistics: 1
• Aerospace Manufacturing: 1
• Higher Education: 1
• Government Administration: 1
• Automotive Manufacturing: 1
• Retail: 1
• Construction: 1
• Health Care Equipment & Services: 1
• Telecommunications and Mass Media: 1
• Wholesale Distribution: 1

The distribution of new ransomware victims is diverse, spanning ten distinct industries and six countries. This wide array of targeting suggests an opportunistic approach by threat actors, without a discernible focus on any particular sector or geographic region in this period.

What Are the Latest Ransomware Developments?

Topline

This period shows significant counter-ransomware operations, new threat actor capabilities, and leaks exposing criminal methodologies.

Campaigns & Operations

International law enforcement has disrupted the "First VPN Service," a criminal VPN used by at least 25 ransomware groups, including Avaddon. They seized 33 servers and 32 exit nodes across 27 countries. New intelligence reveals details of the "GENTLEMEN RANSOMWARE LEAKS," exposing a RaaS operation active since September 2025 that has impacted over 420 victims. Separately, the Qilin ransomware group attacked Eyguières Town Hall in France, compromising municipal IT infrastructure and resident data to facilitate identity fraud.

Vulnerabilities & TTPs

Intrusion vectors detailed in the GENTLEMEN LEAKS include FortiGate SSL-VPN web-panel brute-force alongside LDAP credential dumping for rapid domain compromise and lateral movement. The FBI also warns of "Kali365," a fast-growing phishing-as-a-service kit that exploits legitimate Microsoft 365 device-code OAuth flows to bypass multi-factor authentication and steal persistent access tokens. This kit, distributed via Telegram, bundles AI-generated lures and automated campaign templates.

Analyst Note

These developments show how ransomware changes, with authorities disrupting infrastructure and threat actors innovating access methods and operational security.

Technical Takeaways

• International law enforcement successfully disrupted "First VPN Service," impacting infrastructure used by at least 25 ransomware groups.
• The GENTLEMEN RANSOMWARE LEAKS reveal a RaaS operation using FortiGate SSL-VPN brute-force and LDAP credential dumping for initial access.
• A new phishing-as-a-service kit, Kali365, exploits Microsoft 365 device-code OAuth flows to bypass MFA and steal access tokens.
• Ransomware targeting remains diversified across industries and geographies, with no single sector or region showing concentrated activity.

CMD Ransomware Hits 5 Healthcare Nonprofits

Statistical Overview

Victim Totals

• This month: 561
• This quarter: 1339
• Year to date: 3965
• Last 24h: 24

Quarterly Breakdown

Q1: 2631 | Q2: 1339 | Q3: 0 | Q4: 0

Ransomware activity continues to accumulate this quarter, with 24 new victims identified in the last 24 hours. This surge is predominantly influenced by groups such as CMD, Akira, APT73, and Qilin.

Introduction

Recent ransomware activity shows 24 new victim disclosures and sustained threat actor activity. Dominant groups included CMD, Akira, APT73, and Qilin, collectively responsible for over two-thirds of the reported incidents. Affected sectors include Healthcare, Nonprofit, Manufacturing, and Technology. Most organizations were targeted within the United States.

Ransomware Summary Table

CMD was the most active ransomware group, impacting five organizations primarily in the Nonprofit and Healthcare sectors, including Holy Name of Jesus and Houston Eye Associates. Other significant actors, including APT73, Akira, and Qilin, each reported four new victims, diversifying their targeting across Media & Entertainment, Government, Construction & Engineering, Hospitality & Travel, Real Estate, and Technology sectors. This broad activity shows ongoing pressure across various industries, with the United States remaining a primary target geography, a trend observed across recent ransomware group activity updates.

Victim Distribution

By Country

• United States: 11
• Canada: 2
• Spain: 1
• Turkey: 1
• Argentina: 1
• Panama: 1
• Mexico: 1
• Italy: 1
• Ireland: 1
• Indonesia: 1

By Industry

• Medical Practices: 2
• Food and Beverage Manufacturing: 2
• Manufacturing: 2
• Electronics and Technology Distribution: 1
• Religious Organization: 1
• Packaging and Containers Manufacturing: 1
• Law Firms & Legal Services: 1
• Hospitality: 1
• Healthcare: 1
• Construction: 1

The concentration of attacks continues to be highest in the United States, representing nearly half of all new victims. Industrially, the threat environment shows a persistent focus on medical practices and the broader manufacturing sector, which points to strategic targeting of both critical services and industrial operations.

Ransomware News

Topline

Recent developments demonstrate persistent ransomware threats across multiple sectors, characterized by significant data exfiltration, service disruptions, and increasing legal ramifications.

Campaigns & Operations

The Ransom Home group claimed responsibility for a cyberattack on Hospital Clínic de Barcelona, demanding $4.5 million and threatening to release 4 TB of patient data, though authorities have stated they will not pay. Separately, Liberty Mutual is facing a federal class-action lawsuit following a data leak attributed to the Everest Group ransomware operation, which allegedly exfiltrated 108 GB of client information affecting over 15,630 individuals. In Japan, Enessance Holdings Co., Ltd. and Hokuyo Co., Ltd. both disclosed ransomware incidents; Enessance confirmed encryption and the exfiltration of approximately 365,000 customer and 2,000 employee records, while Hokuyo reported a system outage that has since been resolved. Austria's Rhomberg Bau Group also experienced an intrusion involving data exfiltration and ransom demands, prompting a police investigation and system segmentation.

Vulnerabilities & TTPs

The Everest Group's operational tactics frequently involve initial access via credential theft, phishing, or exploiting unpatched services. They then move laterally using legitimate administrative tools to blend with normal network traffic. Data exfiltration remains a consistent outcome across these varied incidents, showing its central role in modern ransomware and extortion campaigns.

Analyst Note

These incidents collectively demonstrate the persistent financial and reputational impact of ransomware, with an ongoing emphasis on data exfiltration as a primary means of coercion for threat actors.

Technical Takeaways

• CMD is the most active group, primarily targeting Healthcare and Nonprofit sectors with five confirmed victims.
• The United States remains the most frequently targeted country, accounting for nearly half of all new ransomware victim disclosures.
• Data exfiltration is a prevalent tactic across multiple ransomware incidents, leading to significant financial and legal consequences for victim organizations, as seen in the Liberty Mutual case.
• Beyond Healthcare, groups like Akira (see our ransomware threat update) and Qilin (detailed in our Qilin ransomware threat activity post) continue to diversify their targeting across Construction, Hospitality, Real Estate, and Technology.
• The persistence of ransomware attacks necessitates strong incident response and data protection strategies, given ongoing exfiltration and operational disruption.

Ransomware Activity Driven by VPN Exploitation, Takedowns

Statistical Overview

Victim Totals

• This month: 542
• This quarter: 1320
• Year to date: 3946
• Last 24h: 22

Quarterly Breakdown Q1: 2631 | Q2: 1320 | Q3: 0 | Q4: 0

Ransomware activity continues at a consistent pace, with the observed 22 new victims in the last 24 hours contributing to the ongoing quarterly totals. This period reflects a diverse targeting approach across various sectors and geographies.

Introduction

The past 24 hours saw 22 new ransomware victims, indicating persistent activity across the threat environment. The most active groups included Payload (4 victims), APT73 (3 victims), CoinbaseCartel (3 victims), and The_Gentelman (3 victims). Affected sectors ranged from Transportation & Logistics and Healthcare to Technology/Software and Manufacturing, with many incidents in the United States.

Ransomware Summary Table

Payload emerged as the most prolific ransomware group in this period, predominantly impacting transportation and healthcare entities. Other notable activity includes APT73 targeting manufacturing and pharmaceuticals, CoinbaseCartel breaching telecommunications and technology firms, and The_Gentelman affecting retail and manufacturing across the Americas. Several groups, including Qilin and LockBit, continued to target diverse geographies and industries.

Victim Distribution

By Country

• United States: 8
• United Kingdom: 2
• Singapore: 2
• Thailand: 1
• Australia: 1
• North Macedonia: 1
• Mexico: 1
• Ireland: 1
• Gibraltar: 1
• Germany: 1

By Industry

• Astronomical Research: 1
• Office Equipment Manufacturing: 1
• Numismatics and Collectibles: 1
• Nonprofit Organization: 1
• Healthcare: 1
• Executive Coaching and Leadership Development: 1
• Construction: 1
• Chemical Manufacturing: 1
• Aviation and Aerospace Component Manufacturing: 1
• Law Firms & Legal Services: 1

The United States remains a primary target, with the highest number of victims, while industrial and technology sectors show broad exposure. This suggests a continued opportunistic targeting approach combined with a focus on economically vital infrastructure.

Ransomware News

Topline - Law enforcement significantly disrupted ransomware infrastructure while threat actors continued exploiting VPN vulnerabilities and targeting supply chain entities and financial institutions.

Campaigns & Operations - In a coordinated multinational effort, Europol executed "Operation Saffron," seizing the "First VPN" service and arresting its administrator, which was widely used by ransomware gangs for anonymity. Concurrently, ransomware attacks impacted Hongsu Technology, a TSMC CoWoS equipment factory in Taiwan, and Nostrum Co., Ltd. in Japan, which provides learning support services. ShinyHunters claimed a data breach against 7-Eleven, exfiltrating franchisee data. CoinbaseCartel and TeamPCP asserted data-leak claims against an Open-Source Visualization Platform and a major developer platform respectively. Reports also described ongoing threats to the Korean financial sector, involving a three-stage malware workflow. Various industrial organizations also faced APT and financial attacks from groups like Head Mare, LockBit 5.0, and DynoWiper/LazyWiper. For more information on recent threat activity, see our analysis of latest ransomware threat activity.

Vulnerabilities & TTPs - Threat actors continue to exploit poorly patched SonicWall SSL VPN appliances, specifically using CVE-2024-12802 for MFA bypass and credential brute-forcing. Beyond VPNs, initial access commonly involved phishing delivering backdoor-downloader-droppers and infostealers, as observed in the Korean financial sector. The threat environment also includes discussions on securing AI model pipelines from ransomware, which targets vulnerabilities in weights, training pipelines, and orchestration layers.

Analyst Note - The period shows a dual focus: disrupting established cybercrime infrastructure and confronting persistent exploitation of network perimeter vulnerabilities and expanding threats to emerging technologies.

Technical Takeaways

• Europol's takedown of "First VPN" demonstrates an increased focus on disrupting core cybercrime infrastructure.
• Persistent exploitation of VPN vulnerabilities, specifically SonicWall SSL VPN CVE-2024-12802, shows the need for complete patching and multi-factor authentication.
• Ransomware activity includes targeting of supply chain entities, such as the attack on Hongsu Technology, a TSMC CoWoS equipment supplier.
• Financial and industrial sectors face diverse attack chains, incorporating multi-stage malware, infostealers, and a variety of ransomware strains (e.g., Everest, Qilin, LockBit 5.0).
• Emerging threats to AI infrastructure show vulnerabilities within model pipelines, training data, GPU clusters, and other components, which points to a future ransomware vector.

Ransomware Report - 04/08/2026

Statistical Overview

Victim Totals

• This month: 186
• This quarter: 186
• Year to date: 2808
• Last 24h: 15

Quarterly Breakdown Q1: 2622 | Q2: 186 | Q3: 0 | Q4: 0 Ransomware activity recorded 186 victims in Q2 so far. This shows persistent activity into the new quarter, though slower than the previous quarter's total.

Introduction

In the last 24 hours, PurpleOps observed 15 new ransomware victims, which indicates consistent threat actor activity. The most active groups included CoinbaseCartel (3 victims), INC_Ransom (2), Kairos (2), and Payload (2). Key sectors affected include Financial Services, Legal, Healthcare, Professional Services, and Energy & Utilities, with most incidents concentrated in the United States and Austria.

Ransomware Summary Table

Today's activity shows diverse threats, with CoinbaseCartel leading in reported victims, primarily impacting Financial Services and Manufacturing. Multiple groups, including Payload and World Leaks, targeted critical infrastructure organizations-specifically El Wastani Petroleum Company (Egypt) and Deaconess Health System (United States). This demonstrates continued pressure on essential services. Financial Services, Legal, and Healthcare sectors remain consistently targeted across North America, Europe, and Australia.

Victim Distribution

By Country

• United States: 7
• Austria: 2
• Australia: 1
• Egypt: 1
• France: 1
• Switzerland: 1
• United Kingdom: 1
• Venezuela: 1

By Industry

• Legal Services: 2
• Pharmaceutical Manufacturing: 1
• Building Technical Services: 1
• Tax Consulting: 1
• Oil and Gas: 1
• Construction and Engineering: 1
• Financial Services: 1
• Healthcare: 1
• Healthcare & Social Services: 1
• Legal Practice: 1 The United States continues to be the primary target region for ransomware attacks, accounting for nearly half of all reported victims. Industry distribution shows a concentration in legal services, followed by various sectors including healthcare, financial services, and professional services, which shows targeting across many economic segments.

Ransomware News

Today's intelligence shows significant ransomware activity, particularly impacting critical sectors and rapid exploitation techniques.

Topline Multiple cyberattacks against healthcare entities in the Netherlands and United States, and high-velocity ransomware campaigns exploiting known vulnerabilities, are the latest developments in ransomware.

Campaigns & Operations A severe cyberattack on Dutch healthcare vendor ChipSoft around April 7, 2026, disrupted hospital portals across the Netherlands, threatening care workflows. Concurrently, Signature Healthcare in Massachusetts also activated incident response due to suspicious network activity, leading to ambulance diversions and delayed chemotherapy. The Silent Ransom Group (aka Luna Moth/Chatty Spider/UNC3753) claimed a phishing-driven attack on legal giant Jones Day, while the Qilin ransomware group listed Australian computer-vision firm Seeing Machines as a victim. Separately, Space Bears claimed a breach of Sydney's GC Dental.

Vulnerabilities & TTPs Microsoft Threat Intelligence detailed Storm-1175's high-velocity Medusa ransomware campaigns. These campaigns rapidly move from exploiting known vulnerabilities such as CVE-2026-1731 (BeyondTrust), CVE-2025-31161 (CrushFTP), CVE-2024-27198 (JetBrains TeamCity), CVE-2023-21529 (Microsoft Exchange), CVE-2026-23760 (SmarterMail), and CVE-2025-10035 (GoAnywhere MFT) to data exfiltration and deployment, sometimes within 24 hours. Phishing and social engineering continue to be exploited as initial access vectors by groups like the Silent Ransom Group.

Analyst Note The accelerated breakout times and persistent targeting of critical sectors, especially healthcare, show organizations urgently need to implement prevention-first cybersecurity measures, including prompt patching of known vulnerabilities and strong identity protection.

Technical Takeaways

• Critical Sector Targeting: Healthcare and Energy & Utilities continue to experience direct ransomware impact, leading to operational disruptions and potential data exposure.
• Rapid Exploitation: Threat actor Storm-1175 demonstrates the accelerated timeframe for exploiting known vulnerabilities (e.g., CVE-2026-1731, CVE-2025-31161) and deploying ransomware, often within 24 hours of initial access.
• Geographic Focus: The United States remains the most frequently targeted country, accounting for nearly 50% of observed activity, followed by a spread across Europe and ANZ regions.
• Established and Emerging Groups: Groups like Qilin maintain operations, while others such as CoinbaseCartel and Payload have demonstrated activity in the last 24 hours.
• Initial Access Vectors: Phishing and social engineering remain effective initial access vectors, as evidenced by the Jones Day incident attributed to the Silent Ransom Group.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

CoinbaseCartel was the most active group, responsible for 3 reported victims. Other active groups included INC_Ransom, Kairos, and Payload, each with 2 victims.

Q: What industries were primarily targeted by ransomware today?

Legal Services saw the highest number of targets with 2 victims. Other affected industries included Financial Services, Healthcare, Manufacturing, Professional Services, and Energy & Utilities.

Q: Which countries experienced the most ransomware attacks?

The United States was the most targeted country with 7 reported victims. Austria followed with 2 victims, while Australia, Egypt, France, Switzerland, United Kingdom, and Venezuela each recorded 1 victim.

Q: Were any critical infrastructure organizations targeted today?

Yes, Payload targeted El Wastani Petroleum Company (WASCO) in Egypt, an Energy & Utilities entity. Additionally, World Leaks listed Deaconess Health System in the United States, a healthcare provider.

Q: What ransomware trends or campaigns were reported today?

Reports describe "high-velocity" campaigns by Storm-1175 deploying Medusa ransomware, often within 24 hours of exploiting known vulnerabilities (e.g., CVE-2026-1731). There were also significant cyberattacks impacting healthcare systems in the Netherlands (ChipSoft) and the US (Signature Healthcare).

About PurpleOps

PurpleOps works with cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time information into ransomware operations, emerging CVEs, and the underground economy. Learn how we help organizations detect, prevent, and respond to ransomware threats:

• Cyber Threat Intelligence
• Dark Web Monitoring
• Protect Against Ransomware
• Penetration Testing
• Supply-Chain Security

Ransomware Report - 05/18/2026

Statistical Overview

Victim Totals

• This month: 468
• This quarter: 1246
• Year to date: 3872
• Last 24h: 28

Quarterly Breakdown

Q1: 2631 | Q2: 1246 | Q3: 0 | Q4: 0

Ransomware activity in Q2 continues at a steady pace, consistent with previous trends. The year-to-date victim count is substantial, with 28 new entities impacted in the last 24 hours.

Introduction

The past 24 hours saw 28 new ransomware victims publicly reported, showing the persistent threat across various sectors. Qilin and Titan were the most active groups, each claiming seven new victims. Manufacturing and Construction & Engineering sectors were impacted, and professional services and government entities across diverse geographies also continued to be targeted.

Ransomware Summary Table

Ransomware activity over the last 24 hours was dominated by Qilin and Titan, collectively responsible for 14 of the 28 new victims. Manufacturing and Construction & Engineering sectors remain primary targets, experiencing attacks from multiple groups including AiLock, Akira, Doommageddon, and Lamashtu. Geographically, North America, particularly the United States and Canada, sustained a high volume of attacks. Targets today include Majlis perbandaran alor gajah (Malaysia) by Qilin, and Trésor public (Senegal) by Audit. This shows a continued focus on government and public-sector institutions. For more on Qilin's recent activity, see our Ransomware Victims Update - May 16 and Qilin Ransomware Threat Activity - May 14.

Victim Distribution

By Country

• United States: 9
• Canada: 3
• Turkey: 2
• Malaysia: 2
• Spain: 1
• United Kingdom: 1
• Tunisia: 1
• Taiwan: 1
• Argentina: 1
• Singapore: 1

By Industry

• Manufacturing: 2
• Public Administration: 2
• Food and Beverage Services: 1
• Industrial Machinery Manufacturing: 1
• Higher Education: 1
• Healthcare Services: 1
• Health, Wellness & Fitness: 1
• Food & Beverage: 1
• Computer Hardware Manufacturing: 1
• Architectural Services: 1

The concentration of attacks over the last 24 hours shows a continued focus on the United States and Canada, while the manufacturing sector remains a consistent high-value target for ransomware operators globally. Public administration also saw sustained pressure, which indicates diversified targeting.

Ransomware News

Topline

The past 24 hours saw several ransomware-related developments, including claims by the Qilin group, a GitHub breach impacting Grafana, an internal breach exposing The Gentlemen ransomware gang's operations, and new Q1 2026 threat intelligence.

Campaigns & Operations

The Qilin ransomware-as-a-service operation claimed Generation Life as a victim following a breach via an external service provider. Qilin's global victim tally reached 1,842. CoinbaseCartel claimed responsibility for breaching Grafana's GitHub environment using a stolen access token to download source code. Links were drawn to ShinyHunters/Lapsus$ affiliates. The Gentlemen ransomware gang experienced an internal breach in May 2026, exposing its backend infrastructure, affiliate program data, and operational tools, despite an estimated 1,570 victims. 3i Infotech Limited in India reported a ransomware cyber attack on May 16, 2026. A Check Point Research threat intelligence report also detailed breaches at Vodafone, West Pharmaceutical Services, and Foxconn's North American operations.

Vulnerabilities & TTPs

Threat intelligence showed critical vulnerabilities, including Claw Chain vulnerabilities in OpenClaw (CVE-2026-44112, CVSS 9.6), an unpatched macOS kernel exploit bypassing Memory Integrity on M5 chips, Windows zero-days YellowKey and GreenPlasma, and other flaws in NGINX (CVE-2026-42945), Catalyst SD-WAN (CVE-2026-20182), and Wi-Fi components (CVE-2026-28819). The Grafana breach showed the risk of GitHub token leakage and credential theft, while phishing campaigns deploying v0.dev to harvest credentials via Telegram bots continue to be prevalent.

Analyst Note

These incidents show a continued trend of supply chain targeting, credential theft for initial access, and persistent activity by established ransomware groups. Q1 2026 analyses from Check Point Research and Kaspersky confirmed widespread attacks, impacting thousands of users and introducing thousands of new ransomware variants.

Technical Takeaways

• Increased Focus on Government Entities: Both Qilin and Audit groups targeted public administration bodies (Majlis perbandaran alor gajah, Trésor public). This indicates a persistent, high-value target sector.
• Supply Chain & Credential Theft: The Grafana breach, attributed to CoinbaseCartel via a stolen GitHub token, shows how supply chain vulnerabilities and credential compromise are critical initial access vectors.
• Group Activity: Qilin maintained a leading position with seven new victims, further extending its global reach. For more on Akira's activity, see our Ransomware Threat Update Intelligence - May 11.
• Ongoing Q1 Threat Volume: Multiple threat intelligence reports show significant ransomware activity and new variant introductions in Q1 2026. This suggests a consistently high threat level extending into Q2.
• Vulnerability Exploitation: Several critical CVEs across various platforms (OpenClaw, NGINX, Catalyst SD-WAN, Wi-Fi components) were flagged, which indicates potential for mass exploitation and continued TTP development by threat actors.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

A: In the past 24 hours, Qilin and Titan were the most active ransomware groups, each claiming 7 new victims. Other groups like AiLock, Akira, and Doommageddon also reported multiple new victims.

Q: What industries were most targeted by ransomware today?

A: Manufacturing and Construction & Engineering were the most frequently targeted industries, each seeing multiple attacks from various groups. Public Administration also experienced considerable targeting, including high-value government entities.

Q: What regions saw the most ransomware attacks today?

A: The United States recorded the highest number of ransomware victims with 9 incidents, followed by Canada with 3. Turkey and Malaysia also saw 2 reported victims each. This indicates a broad global distribution of attacks.

Q: Were there any major breaches or exposures involving ransomware gangs or major organizations?

A: Yes, the CoinbaseCartel group claimed responsibility for breaching Grafana's GitHub environment by stealing an access token and downloading source code. The Gentlemen ransomware gang also suffered an internal breach, exposing their backend infrastructure and operational data.

Q: What critical vulnerabilities were detailed in recent threat intelligence reports?

A: Recent reports flagged several critical vulnerabilities, including Claw Chain vulnerabilities in OpenClaw (CVE-2026-44112), unpatched Windows zero-days, and flaws in NGINX (CVE-2026-42945), Catalyst SD-WAN (CVE-2026-20182), and Wi-Fi components (CVE-2026-28819), and a macOS kernel exploit.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/17/2026

Statistical Overview

Victim Totals

• This month: 440
• This quarter: 1218
• Year to date: 3835
• Last 24h: 17

Quarterly Breakdown

Q1: 2622 | Q2: 1218 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while still early, has already reached over 46% of Q1's total victim count, suggesting a sustained or potentially increased operational tempo from ransomware groups as the quarter progresses.

Introduction

The past 24 hours saw 17 new ransomware victims added to leak sites, showing continued pressure across various sectors. The most active groups included M3RXDLS with four reported victims, followed by Nova (RALord) and Qilin, each claiming three. Geographically, attacks were broadly distributed, with the United States and Spain registering the highest number of reported incidents, while industries such as Technology/Software and Healthcare continued to experience significant targeting.

Ransomware Summary Table

Today's ransomware activity saw M3RXDLS leading the reported victim count, showing its persistent operations primarily in Europe. Nova (RALord) and Qilin also showed significant activity, with Qilin impacting organizations across Asia and South America. DragonForce maintained its presence with targets in Europe, while other groups such as Beast, INC Ransom, and Lamashtu each claimed single victims, showing a fragmented but active threat picture. For more details into specific threat actors, review our recent analysis of M3RXDLS ransomware activity and a detailed look at Qilin ransomware activity.

Targeting today included Clinica Avellaneda Medical Center in Chile by Qilin, showing ongoing ransomware pressure on the healthcare sector in Latin America.

Victim Distribution

By Country

• United States: 4
• Spain: 3
• Romania: 1
• South Korea: 1
• Argentina: 1
• Philippines: 1
• Malaysia: 1
• Italy: 1
• Isle of Man: 1
• India: 1

By Industry

• Information Technology and Services: 2
• Gambling: 1
• Wholesale: 1
• Religious Organization: 1
• Food and Beverage Services: 1
• Insurance Brokerage: 1
• Automotive Parts Retail and E-commerce: 1
• Cosmetics Manufacturing: 1
• Healthcare: 1
• Education: 1

The concentration of attacks indicates continued targeting of the United States and European nations, with a spread across various industries. This suggests threat actors are employing opportunistic tactics rather than focusing on a single high-value sector or region, reflecting the diverse nature of recent ransomware victim updates.

Ransomware News

Topline

Grafana Labs disclosed a breach involving source code theft but rejected the associated ransom demand.

Campaigns & Operations

An attacker gained access to a portion of Grafana's GitHub environment via a compromised token, leading to the download of source code. Grafana reported no exposure of customer data or impact on customer environments and publicly refused the ransom demand, aligning with FBI guidance against payments. Remediation included revoking compromised credentials and implementing additional safeguards, with a post-incident review planned to describe further technical findings.

Vulnerabilities & TTPs

The incident was facilitated by a compromised token. Credential compromise remains a persistent initial access vector. Investigators found no evidence of customer data exposure or impact to customer environments.

Analyst Note

This incident shows the ongoing threat of data exfiltration and supply-chain risk, even when encryption is not deployed, and the complexities of managing developer environment security.

Technical Takeaways

• M3RXDLS, Nova (RALord), and Qilin collectively accounted for 10 out of 17 new victims, which shows their continued significant activity.
• Geographic targeting remains diverse, with the United States, Spain, and APAC countries (Philippines, South Korea, Malaysia, India) seeing prominent activity, as shown in the latest ransomware victims update.
• The healthcare sector, exemplified by Qilin's targeting of Clinica Avellaneda Medical Center, remains a persistent focus for ransomware groups.
• The Grafana incident shows data exfiltration without encryption as a distinct threat model, where intellectual property theft is the primary objective rather than system disruption.
• Credential compromise, as seen in the Grafana breach, continues to be a prevalent initial access vector for sophisticated threat actors.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

M3RXDLS was the most active group, claiming 4 new victims. Nova (RALord) and Qilin were also very active, each reporting 3 new victims during this period.

Q: What industries were most frequently targeted by ransomware today?

The Information Technology and Services sector, Agriculture & Food, Hospitality & Travel, and Healthcare each saw multiple new ransomware incidents today. This indicates a broad targeting approach rather than a singular industry focus.

Q: What geographic regions experienced the highest volume of new ransomware attacks?

The United States recorded the highest number of new ransomware victims with 4 incidents, followed by Spain with 3. Other regions, including the Philippines, South Korea, Malaysia, and Chile, also saw activity.

Q: Was there any significant ransomware-related news today?

Yes, Grafana Labs disclosed a breach where an attacker stole source code via a compromised token. Grafana rejected the ransom demand, confirming no customer data exposure and confirming their adherence to FBI guidance.

Q: Are there any specific attack vectors or TTPs highlighted in recent ransomware activity?

The Grafana incident specifically showed credential compromise, using a "compromised token," as an effective initial access vector for data exfiltration without traditional ransomware encryption. This points to a continued focus on credential hygiene and developer environment security.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/16/2026

Statistical Overview

Victim Totals

• This month: 424
• This quarter: 1202
• Year to date: 3819
• Last 24h: 24

Quarterly Breakdown

Quarter 2 activity continues, with 1202 victims recorded to date. This follows an active Q1. The last 24 hours saw 24 new entities impacted, showing ongoing pressure across various sectors.

Introduction

In the last 24 hours, PurpleOps recorded 24 new ransomware victims, showing persistent threat actor activity. The most active groups included Qilin (8 victims), LockBit (6 victims), and DragonForce (4 victims). Targeting remained geographically diverse, though concentrated in the United States. Sectors such as Healthcare and Education experienced significant impact.

Ransomware Summary Table

Today's ransomware activity was primarily led by Qilin, which accounted for a third of all new victims. The group's targets included financial services and education entities across Thailand and the United States. LockBit and DragonForce were also active, contributing to pressure on the healthcare sector. No specific high-value government or critical infrastructure targets were identified among the new victims in the last 24 hours. PurpleOps continues to monitor these groups, providing real-time ransomware threat activity updates.

Victim Distribution

By Country

• United States: 11
• Australia: 3
• Brazil: 3
• Thailand: 2
• United Kingdom: 1
• Peru: 1
• Netherlands: 1
• Indonesia: 1
• Dominican Republic: 1

By Industry

• Healthcare: 4
• Education: 3
• Healthcare Services: 1
• Software Development: 1
• Software: 1
• Retail: 1
• Pain Management Medicine: 1
• Insurance: 1
• Industrial Machinery & Equipment: 1
• Industrial Distribution: 1

The United States remains the primary target for ransomware attacks, accounting for nearly half of the new victims. Industrially, the healthcare and education sectors show a concentration of attacks because attackers continue to exploit their sensitive data and critical operations.

Ransomware News

Topline

Recent activity shows ongoing ransomware threats, with Qilin allegedly breaching an Australian IT provider and ShinyHunters causing data leaks by exfiltrating data from cloud environments.

Campaigns & Operations

Qilin listed Australian hospitality IT provider Bluize on its dark web leak site. Details about the incident or sample data are unconfirmed, reflecting the group's sporadic posting and potential for extortion based on exposed databases. Separately, ShinyHunters has increased its extortion tactics, using persistent social engineering and voice-based pretexts to exfiltrate multi-terabyte datasets from cloud environments, especially Salesforce and other SaaS storage. Security researchers use AI for data classification to map exposed fields and estimate risk per breach.

Vulnerabilities & TTPs

ShinyHunters' operations show a reliance on social engineering and data exfiltration from cloud environments, resulting in public dumps of extensive personal and health-related data. The broader discussion around ransomware payments shows that promises to delete data often prove unreliable, which increases long-term risks for victims. Panels also warn that AI-assisted threats and non-human identities are increasing attacks, making AI for detection and rapid microsegmentation necessary.

Analyst Note

These developments show the expanding attack surface of cloud environments and the continued effectiveness of social engineering as a primary vector, alongside the unreliability of ransomware actors post-payment. Our recent intelligence covers the ransomware intelligence update and specific Qilin ransomware threat activity.

Technical Takeaways

• Qilin showed high activity, becoming the most active group in the last 24 hours with 8 new victims, and maintained its activity level.
• The healthcare and education sectors are often targeted, making up 7 out of 24 new victims, which shows their vulnerability to ransomware campaigns.
• The United States continues to be the geographic focus for ransomware operators, with 11 organizations listed as victims today.
• ShinyHunters' activities show a heavy reliance on data exfiltration from cloud environments and social engineering, leading to large-scale data leaks.
• Observations suggest Qilin uses extortion tactics, possibly listing exposed databases to pressure victims without confirming full data exfiltration.

FAQ

Q: Which ransomware groups were most active on May 16, 2026?

Qilin was the most active ransomware group, claiming 8 new victims. LockBit followed with 6 victims, and DragonForce with 4 victims in the last 24 hours.

Q: What industries did ransomware groups target most today?

The healthcare sector was the most targeted industry with 4 reported victims, closely followed by Education with 3 victims. Other affected sectors included financial services, technology, and manufacturing.

Q: Which countries were most affected by ransomware attacks in the last 24 hours?

The United States was the most affected country, reporting 11 new ransomware victims. Australia and Brazil each recorded 3 new victims, while Thailand had 2.

Q: Are there any specific new TTPs observed in today's ransomware activity?

Today's intelligence shows ShinyHunters' increasing reliance on social engineering and voice-based pretexts to exfiltrate multi-terabyte datasets from cloud environments, especially SaaS platforms. Qilin also exhibited a pattern of listing potentially exposed databases for extortion.

About PurpleOps

PurpleOps is a cyber threat intelligence platform that uses AI, covering every threat vector, from ransomware tracking to attack surface discovery. Its AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/15/2026

Statistical Overview

Victim Totals

• This month: 400
• This quarter: 1178
• Year to date: 3795
• Last 24h: 16

Quarterly Breakdown

Q1: 2622 | Q2: 1178 | Q3: 0 | Q4: 0

Ransomware activity continues at a consistent pace into Q2, with a steady volume of new victims daily. The current quarter's figures represent a significant portion of the year-to-date total, suggesting threat actors are operating consistently.

Introduction

The past 24 hours saw 16 new ransomware victims publicly disclosed, primarily from operations by The_Gentelman (4 victims), 3AM (3 victims), and CMD (3 victims). The latest ransomware threat activity shows these groups maintaining activity across many regions. Key sectors targeted included Medical Practices, Legal Services, and Agriculture & Food, with a concentration of attacks within the United States.

Ransomware Summary Table

Today's summary table indicates varied threats, with The Gentelman leading in volume, targeting entities in Brazil and Mexico, primarily within the Agriculture & Food and Professional Services sectors. Groups like 3AM expanded their reach into Argentina and Lebanon, while CMD and INC Ransom focused on the United States, particularly impacting Healthcare and Legal Services. Real-time ransomware intelligence consistently tracks groups like Akira targeting professional services, showing the persistent and varied nature of these attacks.

Victim Distribution

By Country

• United States: 7
• Argentina: 2
• Brazil: 1
• Germany: 1
• Hong Kong: 1
• Lebanon: 1
• Mexico: 1
• Netherlands: 1
• Poland: 1

By Industry

• Medical Practices: 2
• Legal Services: 2
• Agro-industrial: 1
• Machinery Manufacturing: 1
• Agribusiness: 1
• Transport and Logistics: 1
• Religious Organization: 1
• InsurTech: 1
• Research and Education: 1
• Printing Services: 1

The United States remains the primary target, accounting for nearly half of the reported incidents today, followed by scattered attacks across Latin America, Europe, and Asia. Industry targeting shows a focus on professional services and essential sectors, suggesting groups are opportunistic and target a wide range of victims.

Ransomware News

Topline

Today's ransomware developments show the continued evolution of attack methodologies, strategic alliances among threat actors, and the increasing scrutiny on organizational cyber resilience from legislative bodies.

Campaigns & Operations

The House Committee on Homeland Security has initiated a briefing demand from Instructure following two consecutive breaches by ShinyHunters affecting the Canvas platform, questioning data exposure, remediation efforts, and a potential connection to a prior Salesforce intrusion. BreachForums owner diencracked detailed the Shai Hulud JavaScript worm, which targets the npm ecosystem for credential harvesting and data exfiltration. He also discussed strategic alliances with TeamPCP and Vect ransomware operations. Separately, Tokyo Paving Industry Co., Ltd. in Japan confirmed a ransomware attack on April 2, 2026, leading to system access restrictions and potential data leakage, and Oriental Diamond Co., also in Japan, disclosed a May 4, 2026, ransomware incident affecting its head office file server and potentially exposing customer data.

Vulnerabilities & TTPs

Active exploitation of PAN-OS CVE-2026-0300, a critical buffer overflow enabling unauthenticated root RCE, has been observed in limited campaigns, utilizing EarthWorm and ReverseSocks5 payloads. The Shai Hulud worm demonstrates sophisticated, multi-stage evolution with enhanced obfuscation and cross-runtime support. AI-assisted ransomware threats are accelerating attack cycles, with attackers completing full operations in approximately 72 minutes. This makes zero-trust postures and AI-enabled defenses necessary. NIST's NVD enrichment policy is now prioritizing vulnerabilities with attacker behavior signals, including ransomware associations, to bridge operational gaps in vulnerability management.

Analyst Note

The combination of advanced supply-chain targeting, rapid exploitation of critical vulnerabilities, and the use of AI by threat actors shows the urgent need for adaptive defense strategies and full incident response frameworks.

Technical Takeaways

• Geographic Focus: The United States continues to be the most targeted country, with 7 out of 16 victims, which shows a persistent focus on US-based entities by various ransomware groups.
• Industry Diversity: Ransomware groups broadly target diverse sectors such as Healthcare (Medical Practices), Legal Services, and Agriculture & Food, rather than a narrow vertical. This suggests opportunistic or widespread initial access methods.
• Evolving TTPs: The emergence of sophisticated threats like the Shai Hulud JavaScript worm and the documented increase in AI-assisted ransomware attacks show a shift towards faster, more automated, and supply-chain-focused offensive techniques.
• Vulnerability Exploitation: Active exploitation of critical vulnerabilities, such as PAN-OS CVE-2026-0300, remains a primary vector for ransomware operators to gain initial access and achieve remote code execution.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

In the past 24 hours, The Gentelman was the most active ransomware group, accounting for 4 new victims. Following closely were 3AM and CMD, each responsible for 3 new victim disclosures.

Q: What industries were most targeted by ransomware this period?

The industries most affected by ransomware over the last 24 hours include Medical Practices and Legal Services, both reporting 2 new victims each. The Agriculture & Food sector also saw significant activity, with multiple groups targeting businesses in this area.

Q: What regions saw the most ransomware attacks today?

The United States experienced the highest number of ransomware attacks today, with 7 victims reported. Other targeted regions included Argentina, Brazil, Germany, Hong Kong, Lebanon, Mexico, Netherlands, and Poland, each with one or two reported incidents.

Q: Are there any newly exploited vulnerabilities by ransomware operators?

Yes, active exploitation of PAN-OS CVE-2026-0300, a critical buffer overflow allowing unauthenticated root RCE, has been observed in limited campaigns, utilizing specific payloads. This shows an ongoing threat from recently disclosed or zero-day vulnerabilities.

Q: What role is AI playing in current ransomware operations?

AI is described as increasing the speed and scale of ransomware attacks, with threat actors capable of completing a full attack cycle in approximately 72 minutes. This includes using AI for various stages of the attack, making AI-enabled defenses and zero-trust postures important for mitigation.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/14/2026

Victim Totals

• This month: 384
• This quarter: 1162
• Year to date: 3779
• Last 24h: 21

Quarterly Breakdown

Q2 ransomware activity continues to build, showing consistent pressure even though the total victim count is significantly lower than Q1 figures.

Introduction

The past 24 hours saw 21 new ransomware victims. Qilin led activity with 10 reported breaches, with CMD and DragonForce each claiming three. Key sectors impacted include Construction & Engineering, Professional Services, and Technology/Software. Geographically, the United States continues to be the primary target, alongside activity in France, Singapore, and India.

Ransomware Summary Table

Qilin was the most active group today, accounting for nearly half of all new victims and showing consistent operations. This active group has been observed in recent PurpleOps reporting on latest ransomware threat activity. The group's targeting spanned Construction & Engineering and Healthcare across France and Singapore. The remaining activity was distributed among smaller groups like CMD and DragonForce, impacting Professional Services and Technology/Software across the United States, India, and other regions. While no government or critical infrastructure entities were explicitly reported, the targeting of Technic.com (Manufacturing) and Silergy Corp (Technology/Software) represents significant breaches in industrial and tech sectors.

Victim Distribution

By Country

• United States: 13
• Australia: 2
• Sweden: 1
• Singapore: 1
• India: 1
• France: 1
• Denmark: 1
• Cayman Islands: 1

By Industry

• Industrial Machinery & Equipment: 2
• Legal Services: 2
• Chemical Manufacturing: 1
• Numismatics: 1
• Medical Transportation: 1
• Media Distribution: 1
• Law Practice: 1
• Law Firms & Legal Services: 1
• Executive Coaching and Leadership Development: 1
• Construction: 1

The United States continues to bear the brunt of ransomware attacks because of its extensive digital footprint and economic attractiveness. While industries are diverse, a concentration in Industrial Machinery & Equipment and various Legal Services suggests a focused yet varied targeting approach by threat actors.

Ransomware News

Topline

A busy period shows the manufacturing sector under persistent pressure, an internal breach of a prominent Ransomware-as-a-Service (RaaS) group, and ongoing discussions around cybersecurity law and cargo crime.

Campaigns & Operations

Nitrogen ransomware targeted Foxconn's North American facilities, allegedly exfiltrating 8TB of sensitive data, showing the manufacturing sector's vulnerability. Concurrently, the Coinbase Cartel claimed a data leak from a South Korean medical ultrasound equipment manufacturer. The Gentlemen, a prolific RaaS gang, experienced an internal back end breach in early May 2026. This exposed roughly 16GB of its operations, including tooling and communications, offering insights into their structure, including the use of an in-house LLM for development. Murray County, Georgia's government network also experienced a cyberattack, forcing office closures, though ransomware involvement remains unconfirmed. Meanwhile, Instructure Holdings paid ShinyHunters to delete stolen Canvas data, a move often yielding little return.

Vulnerabilities & TTPs

Cyber-enabled cargo crime uses the ransomware playbook, using reconnaissance, credential theft, and phishing to silently monitor shipment communications and divert freight, and repurposes known tradecraft for logistics fraud. The manufacturing sector continues to be impacted by attackers pivoting to shared vendors, Managed Service Providers (MSPs), and widely used software to maximize impact. New data-extortion group Leak Bazaar has also been observed.

Analyst Note

The incidents, from direct ransomware attacks on critical manufacturing to internal RaaS group breaches and the repurposing of ransomware tradecraft for cargo crime, illustrate the evolving nature of cyber threats.

Technical Takeaways

• Qilin continues to show significant activity across diverse geographic regions (France, Singapore) and sectors (Construction & Engineering, Healthcare). This indicates a broad targeting strategy. This aligns with trends observed in real-time Q2 ransomware intelligence reports.
• Manufacturing remains a high-value sector for ransomware groups, as evidenced by the Nitrogen ransomware incident affecting Foxconn's North American facilities, and shows the critical impact of operational downtime.
• The breach of 'The Gentlemen' RaaS gang offers intelligence into the internal workings, TTPs, and organizational structure of a major ransomware syndicate, including their use of an in-house LLM for development.
• The documented rise of cyber-enabled cargo crime indicates an evolving application of ransomware-like reconnaissance, credential theft, and phishing tactics for financially motivated fraud beyond data encryption.
• DragonForce, a group previously noted in PurpleOps' ransomware intelligence activity updates, continues to target a mix of Media & Entertainment and Technology/Software industries, primarily in India and the United States.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active ransomware group in the last 24 hours, responsible for 10 reported victims. Following Qilin, CMD and DragonForce were the next most active, each claiming 3 new victims.

Q: What industries did ransomware groups target most frequently today?

Today's ransomware activity spread across industries. Industrial Machinery & Equipment, Legal Services, and Technology/Software each reported multiple victims, indicating a varied targeting approach by threat actors.

Q: Which countries experienced the highest number of new ransomware victims?

The United States reported the highest number of new ransomware victims in the past 24 hours, with 13 incidents. Other affected countries included Australia, Sweden, Singapore, India, France, Denmark, and the Cayman Islands.

Q: What significant ransomware incidents or developments were reported today?

Significant developments include a Nitrogen ransomware attack on Foxconn's North American facilities, allegedly leading to the exfiltration of 8TB of data. Additionally, the internal back end of 'The Gentlemen' RaaS gang was reportedly breached, exposing 16GB of their operational data and tools.

Q: Have any ransomware-as-a-service groups suffered setbacks recently?

Yes, the Ransomware-as-a-Service (RaaS) group 'The Gentlemen' suffered an internal breach in early May 2026, which exposed approximately 16GB of their internal communications, tooling, and administrative data, offering potential insights into their operations.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/13/2026

Statistical Overview

Victim Totals

• This month: 364
• This quarter: 1142
• Year to date: 3759
• Last 24h: 30

Quarterly Breakdown

Q2 activity maintains a strong pace, accumulating 1142 victims to date. The 30 new victims in the last 24 hours show continued activity, contributing to a year-to-date total of 3759 incidents. For more on Q2 trends, refer to our Q2 Ransomware Threat Activity Update.

Introduction

Ransomware activity recorded 30 new victims in the last 24 hours, maintaining a consistent pace. The_Gentelman was the most active group, responsible for a third of today's breaches, followed closely by Play News. Targeting focused on the Construction & Engineering and Financial Services sectors, with the United States remaining the primary geographic target.

Ransomware Summary Table

Today's activity shows The_Gentelman and Play News as the most prolific groups, collectively responsible for 17 of the 30 new incidents. Their targeting shows a strong emphasis on Financial Services and Construction & Engineering across North America and parts of Asia. Akira and LeakedData also contributed to the day's victim count, impacting pharmaceuticals and legal sectors respectively. The geographical spread remains diverse, with a concentration in the United States.

Q: Where were ransomware victims located geographically and by industry today?

The United States recorded the highest number of new ransomware victims, with activity distributed across various industries including Manufacturing and Financial Services.

By Country

• United States: 12
• Qatar: 2
• Tunisia: 1
• United Kingdom: 1
• Ukraine: 1
• Argentina: 1
• Thailand: 1
• Taiwan: 1
• Singapore: 1
• Paraguay: 1

By Industry

• Manufacturing: 2
• Financial Services: 2
• Automotive Manufacturing: 1
• Transportation: 1
• Retail Technology: 1
• Machinery Manufacturing: 1
• Legal Services: 1
• Law Practice: 1
• Food Service Distribution: 1
• Construction Management: 1

The United States continues to experience the most ransomware attacks, accounting for 40% of today's observed victims. While Manufacturing and Financial Services show a slight uptick, the overall distribution across industries remains fragmented, indicating opportunistic rather than highly specialized targeting in the last 24 hours.

Ransomware News

Topline

Ransomware operations continue to impact diverse sectors, with activity from established groups and new attacks on major corporations across technology and healthcare.

Campaigns & Operations

The_Gentelman ransomware group's operations use infostealer credential logs, mining OWA/M365 data and breach search engines for initial access. This aligns with trends of credential use observed with groups like Coinbase Cartel. A full overview of their tactics is available in our latest ransomware threat activity report. In North America, Nitrogen ransomware claimed an attack on Foxconn, reportedly exfiltrating 8 TB of sensitive data from factories, marking another incident for the manufacturing giant. Separately, West Pharmaceutical Services disclosed a ransomware incident impacting critical systems, now under investigation by Palo Alto Networks Unit 42, showing ongoing risks to the healthcare industry. In the education sector, Instructure reached a deal with ShinyHunters following a Canvas platform breach that exposed user data, while Japan's Hokuyo Corporation reported a resolved ransomware infection from late March.

Vulnerabilities & TTPs

The emphasis on infostealer credential logs by groups like The_Gentelman shows a persistent initial access vector, prioritizing compromised employee logins for network penetration.

Analyst Note

These incidents collectively show the persistent threat of data exfiltration and business disruption across critical sectors, often facilitated by credential-based initial access.

Technical Takeaways

1. Credential-based Initial Access: The_Gentelman group's documented reliance on infostealer credential logs for initial access shows a pervasive TTP in current ransomware operations.
2. Data Exfiltration Focus: Multiple incidents, including Nitrogen's attack on Foxconn (8TB exfiltrated) and West Pharmaceutical Services, confirm data exfiltration as a primary ransomware objective alongside encryption.
3. Targeting Diversification: While the United States remains a primary target, the distribution across countries like Singapore, Ireland, Malaysia, and Ukraine indicates a broad, opportunistic targeting approach.
4. Persistent Sectoral Risk: The observed breaches in Financial Services, Manufacturing, Education, and Pharmaceuticals show the continued vulnerability of diverse critical and enterprise sectors to ransomware.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

The_Gentelman was the most active group, responsible for 10 reported victims. Play News followed with 7 victims, while Akira, LeakedData, Payload, and Qilin each claimed 2 victims.

Q: Which industries were most targeted by ransomware today?

Manufacturing and Financial Services were among the most frequently targeted sectors, each accounting for 2 reported victims. However, activity was broadly distributed across several industries, including Education, Legal, and Technology/Software.

Q: Which geographic regions experienced the most ransomware attacks today?

The United States reported the highest number of new ransomware victims, with 12 incidents. Other affected regions included Qatar, Tunisia, the United Kingdom, and Ukraine, each reporting a single incident.

Q: What were some notable ransomware incidents reported recently?

Foxconn confirmed a cyberattack claimed by the Nitrogen ransomware group, involving significant data exfiltration. West Pharmaceutical Services disclosed a ransomware incident impacting its business operations, and Instructure made a deal with ShinyHunters following a data exposure on its Canvas platform.

About PurpleOps

PurpleOps is a cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents in natural language.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/12/2026

Statistical Overview

Victim Totals

• This month: 336
• This quarter: 1114
• Year to date: 3731
• Last 24h: 40

Quarterly Breakdown

With 40 new victims identified in the last 24 hours, Q2 activity shows sustained ransomware operations across multiple threat groups.

Introduction

The past 24 hours added 40 new ransomware victims to dedicated leak sites, indicating ongoing pressure on various sectors globally. Genesis led activity with 7 victims, followed by Qilin, Akira, CoinbaseCartel, and Lamashtu, each claiming 4 or 5 new targets. Geographic targeting remained concentrated in the United States. Industries such as Technology, Professional Services, Manufacturing, and Healthcare continued to experience impact.

Ransomware Summary Table

Analysis of today's ransomware activity shows Genesis as the most active group, adding 7 new victims. Groups like Qilin ransomware and Akira ransomware continue with victim counts, alongside CoinbaseCartel. Sector targeting is diverse, including Technology, Professional Services, and Manufacturing. Geographically, attacks distributed across North America, Europe, and Asia.

Targets included a Casino gaming commission by Genesis, the Jozef Stefan Institute (IJS)-a research institute-by CoinbaseCartel, and the Ayuntamiento de Valdemoro (local government) by Kairos. These incidents show persistent targeting of public sector and research institutions.

Victim Distribution

By Country

• United States: 22
• Mexico: 3
• United Kingdom: 3
• Spain: 2
• Canada: 2
• Thailand: 2
• Germany: 1
• India: 1
• Jamaica: 1
• Slovenia: 1

By Industry

• Real Estate: 2
• Manufacturing: 2
• Legal Services: 2
• IT Services and IT Consulting: 1
• Aviation and Aerospace Component Manufacturing: 1
• Business Process Outsourcing: 1
• Chamber of Commerce: 1
• Educational Technology: 1
• Electronics Distribution: 1
• Healthcare: 1

The United States remains the main target for ransomware operators, accounting for over half of all new victims in the last 24 hours. While industry targeting is broad, Real Estate, Manufacturing, and Legal Services experienced multiple incidents, which suggests a focus on sectors with high-value data or critical operational dependencies.

Ransomware News

Topline

A major education provider paid extortion demands, and a ransomware group's internal operations were exposed through a data leak.

Campaigns & Operations

Instructure reached a ransom agreement with ShinyHunters to prevent a 3.65TB Canvas data leak after attackers exploited a vulnerability in a support-ticket flow, siphoning 275 million records. Ahmed Al-Kadi Private Hospital in South Africa confirmed a ransomware breach encrypting a portion of its network. West Pharmaceutical Services experienced a cyberattack on May 4 that exfiltrated data and encrypted core systems, disrupting global operations. INC Ransom listed Earth Systems, an Australian environmental firm, claiming 600 GB of stolen data. Spain's Notin, an IT provider for notaries, was hit by Crypto24 ransomware, which deployed LockBit 5.0 to encrypt files and disrupt client services. The April 2026 Threat Trend Report showed broad global targeting across Manufacturing, Healthcare, and financial sectors, noting the emergence of new groups alongside active groups like Qilin and INC Ransom.

Vulnerabilities & TTPs

The Instructure incident involved exploiting a vulnerability within a free-for-teacher support-ticket flow. A data leak from The Gentlemen ransomware group exposed internal chats detailing RaaS operations, including access via compromised Fortinet edge gear, OpenConnect VPNs, extensive reconnaissance, EDR evasion, and mapping of critical infrastructure. South Staffordshire Water was fined after a nearly two-year intrusion that began with phishing and exploited weak monitoring, inadequate privileged access management, and unpatched legacy systems. Notin's attack by Crypto24 utilized LockBit 5.0, gaining access through stolen credentials, phishing, or exposed RDP, followed by lateral movement and data exfiltration. Overall trends in 2026 indicate a shift toward encryptionless extortion, post-quantum ransomware, and industrialized initial access via Access-as-a-Service, often using RDWeb/RDP abuse.

Analyst Note

These events show persistent reliance on known attack vectors like phishing and compromised credentials. They also demonstrate the increasing sophistication of data extortion tactics and the changing post-exploitation tradecraft documented in internal leaks.

Technical Takeaways

• The United States consistently experiences the highest volume of ransomware attacks. This shows a continued focus on the region by threat groups.
• Threat groups like INC Ransom, Genesis, and Crypto24 (LockBit 5.0) frequently use double-extortion tactics, combining data exfiltration with encryption to maximize pressure on victims.
• Recent analysis shows a shift toward encryptionless extortion and the industrialization of initial access through Access-as-a-Service models, often using RDWeb/RDP abuse.
• Internal leaks from ransomware groups, such as The Gentlemen, provide critical insights into their operational methods, including reconnaissance, EDR evasion, and how they structure affiliates.
• Critical infrastructure and public sector organizations remain high-value targets, as shown by incidents affecting a Casino gaming commission and local government organizations.

FAQ

Q: Which ransomware groups were most active today?

Genesis was the most active ransomware group in the last 24 hours, accounting for 7 new victims. Other active groups included Qilin (5 victims), Akira (4 victims), CoinbaseCartel (4 victims), and Lamashtu (4 victims).

Q: What industries were primarily targeted in the last 24 hours?

Ransomware attacks in the last 24 hours targeted diverse industries. Real Estate, Manufacturing, and Legal Services each recorded two victims. IT Services, Aviation, Business Process Outsourcing, and Healthcare were also affected.

Q: Which geographical regions experienced the most ransomware attacks today?

The United States was the most targeted country, with 22 new ransomware victims reported in the last 24 hours. Mexico and the United Kingdom also experienced activity, each with 3 new victims.

Q: What notable technical insights emerged from recent ransomware activity?

Key technical insights include the use of vulnerabilities in support-ticket flows for data exfiltration. Also, internal group leaks provided detailed documentation of ransomware-as-a-service operations, showing continued reliance on initial access vectors like phishing, exposed RDP, or stolen credentials. There is also a shift toward encryptionless extortion and industrialization of initial access.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering all major threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents in natural language. Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/11/2026

Statistical Overview

Victim Totals

• This month: 296
• This quarter: 1074
• Year to date: 3691
• Last 24h: 12

Quarterly Breakdown

The second quarter shows consistent ransomware activity, with 12 new victims reported in the last 24 hours. While Q2's cumulative total remains lower than Q1, the daily pace suggests pressure across various sectors.

Introduction

In the past 24 hours, PurpleOps observed 12 new ransomware victims, showing persistent threat activity. Akira and Interlock were the most active groups, each claiming three victims, followed by Medusa Locker with two. Attacks primarily impacted the United States, with sectors like Construction & Engineering, Hospitality & Travel, and Manufacturing experiencing incidents.

Ransomware Summary Table

Akira and Interlock were the most active groups over the last 24 hours, each claiming three victims, predominantly in the United States. Akira focused on Construction & Engineering and Hospitality, while Interlock impacted the Kent District Library, showing continued targeting of the Government / Public Sector. Medusa Locker, which has a distinct RaaS model and specific TTPs detailed in our analysis of Medusa Locker's exploitation tactics, added two victims in Technology/Software and Manufacturing. Nitrogen targeting FOXCONN in Taiwan was another high-value breach, showing pressure on critical manufacturing and electronics supply chains.

Victim Distribution

By Country

• United States: 7
• China: 1
• Croatia: 1
• Netherlands: 1
• None: 1
• Taiwan: 1

By Industry

• None: 2
• Machinery Manufacturing: 1
• Steel Construction: 1
• Electronics Manufacturing: 1
• Food and Beverage Services: 1
• Hospitality Management: 1
• Legal Services: 1
• Medical Equipment Manufacturing: 1
• Public Library System: 1
• Semiconductor Manufacturing Equipment: 1

The United States remains the primary target, accounting for most new ransomware victims. Industry targeting is diversified, but a concentration is observed in Manufacturing, particularly Electronics and Semiconductor sectors, alongside Hospitality and Government/Public Services.

Ransomware News

Topline

The past 24 hours included several ransomware-related developments, such as critical application exploitation, new social engineering tactics, and the emergence of new threat groups.

Campaigns & Operations

Instructure confirmed the exploitation of multiple cross-site scripting (XSS) flaws in their Canvas platform. This led to admin session hijacking, portal defacement, and significant data exfiltration, impacting over 8,800 institutions. Separately, the MuddyWater APT group used Microsoft Teams external chat requests for credential theft and MFA bypass, often masquerading as "Chaos ransomware" to hide their espionage objectives. In Japan, JR Tokai Takashimaya and pharmaceutical wholesaler Marutake Co., Ltd. reported separate ransomware incidents on May 1 and April 28, respectively. Both involved unauthorized access, system encryption, and likely double-extortion tactics; Marutake's incident is expected to require substantial restoration time. The M3rx ransomware group, newly identified, claimed Australian toy distributor KB Toys, exfiltrating 140 GB of data and listing 15 victims in total. An interview with MedusaLocker further detailed its long-running RaaS model, financially motivated targeting, and use of distinct victim-identifying extensions such as BAGAJAI and BARADAI.

Vulnerabilities & TTPs

Exploitation of multiple XSS flaws in the Canvas platform enabled initial access and data exfiltration in the Instructure breach. MuddyWater APT used advanced social engineering via Microsoft Teams to induce victims into sharing credentials and enabling MFA bypass, employing a multi-stage payload and dual remote access tools. The M3rx ransomware payload is identified as a PE32+ x64 Go binary, using X25519 for key exchange, AES-CTR for file content, and AES-GCM for per-file key wrapping. These varied tactics show organizations need to address critical vulnerabilities and ransomware breaches.

Analyst Note

These events show the persistent prevalence of double-extortion tactics and a diversified threat environment marked by opportunistic exploitation of application flaws, sophisticated social engineering, and the continued emergence of new ransomware groups.

Technical Takeaways

• The United States remains the primary geographic target for ransomware attacks.
• Critical manufacturing sectors, including Electronics and Semiconductors (e.g., FOXCONN), are under sustained pressure.
• Adversaries are actively exploiting web application vulnerabilities, such as XSS flaws in enterprise platforms like Canvas, for initial access and data exfiltration.
• Social engineering via collaboration platforms like Microsoft Teams is a changing tactic for credential theft and MFA bypass, sometimes used to mask espionage.
• New ransomware groups, such as M3rx, continue to emerge, introducing new tooling (Go binaries) and crypto implementations (X25519, AES-CTR, AES-GCM).
• The Akira ransomware group remains active; a detailed analysis of Akira's TTPs is available.

FAQ

Q: Which ransomware groups were most active today?

Akira and Interlock were the most active ransomware groups today, each responsible for three new victim postings. Medusa Locker followed, claiming two additional victims, showing persistent activity across various sectors.

Q: Which industries were most targeted by ransomware today?

Today's ransomware activity showed diverse targeting across several industries. Sectors affected include Construction & Engineering, Hospitality & Travel, Technology / Software, Manufacturing (specifically Electronics and Semiconductor), and Government / Public Sector, as shown by the Kent District Library incident.

Q: What regions saw the most ransomware attacks?

The United States experienced the highest concentration of ransomware attacks, with seven reported victims. Other affected regions included China, Croatia, the Netherlands, and Taiwan, which saw an incident involving FOXCONN. Japan also reported two ransomware incidents.

Q: Were any new ransomware groups identified today?

Yes, the M3rx ransomware group was identified, claiming its first publicly known victim, Australian toy distributor KB Toys. This group has publicly listed 15 victims to date and uses a PE32+ x64 Go binary payload.

Q: What notable attack techniques or vulnerabilities were observed in recent ransomware incidents?

Recent incidents show exploitation of multiple cross-site scripting (XSS) flaws in the Canvas platform for data exfiltration and portal defacement. The MuddyWater APT group used Microsoft Teams for social engineering to achieve credential theft and MFA bypass, a tactic often disguised as ransomware activity to misdirect investigators.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions:

- Ransomware Tracking

- Dark Web Monitoring

- Credential Intelligence

- Supply Chain Risk

- All Solutions

Ransomware Report - 05/10/2026

Statistical Overview

Victim Totals

• This month: 284
• This quarter: 1062
• Year to date: 3679
• Last 24h: 24

Quarterly Breakdown

Q2 ransomware activity tracks consistently with Q1, showing threat actors maintaining a high operational tempo. The 24 new victims in the last 24 hours reflect ongoing pressure across sectors, similar to trends discussed in our Q2 Ransomware Activity Report.

Introduction

In the past 24 hours, PurpleOps observed 24 new ransomware victims, which suggests consistent threat actor activity. Leak_Bazaar and Lynx were the most active groups, accounting for over two-thirds of reported breaches. These attacks primarily affected the Financial Services and Technology sectors, and were concentrated in North America and Europe, reflecting recent ransomware trends.

Ransomware Summary Table

Leak Bazaar and Lynx were the most active in ransomware activity over the last 24 hours, accounting for 17 of the 24 reported victims. Leak Bazaar focused heavily on Financial Services and Construction & Engineering firms in India and the United Kingdom. Lynx showed a broader reach, targeting Education and Technology sectors primarily in Germany and the United States. Other groups, including INC Ransom and Fulcrum, maintained a lower but persistent presence, with Fulcrum specifically affecting a UK-based professional services firm, a group whose activities we discussed in a previous report.

Victim Distribution

By Country

• United States: 13
• United Kingdom: 4
• Spain: 2
• Germany: 1
• United Arab Emirates: 1
• Taiwan: 1
• Singapore: 1
• India: 1

By Industry

• Legal Services: 2
• Financial Services: 2
• Accounting: 1
• Tourism and Hospitality: 1
• Packaging Services: 1
• Information Technology Services: 1
• Individual and Family Services: 1
• Healthcare: 1
• Food and Beverage Services: 1
• Food & Beverage: 1

The United States remains the primary target country, with over half of all victims reported today, showing a consistent focus on North American entities. While Financial Services and Legal Services had multiple incidents, the overall industry distribution points to a fragmented targeting approach, as various sectors experienced single breaches.

Ransomware News

Topline

The last 24 hours included two significant ransomware incidents affecting an Italian luxury goods manufacturer and Australian mining companies. These incidents show persistent threats to diverse industries.

Campaigns & Operations

Around May 9, 2026, Unoaerre, an Italian gold jewelry manufacturer, was hit by a ransomware attack that disrupted its operational systems. Threat actors demanded 3.8 million euros in Bitcoin for data restoration and to prevent data dissemination. Initial investigations suggest involvement from Eastern Europe and the Middle East. Around May 6, 2026, multiple Australian mining firms faced disruptions after Scope Systems, a cloud-based software provider, was breached. Northern Star Resources and Evolution Mining were among the reported targets, with the incident affecting core ERP and asset management SaaS services.

Vulnerabilities & TTPs

No new CVEs were identified in today's reporting; however, both incidents showed supply-chain risks. The Scope Systems breach revealed a cascade effect from credential theft and potential data exfiltration at a third-party provider, affecting client operations.

Analyst Note

These incidents emphasize the growing effectiveness of supply-chain targeting and the financial motivations behind current ransomware operations, particularly against established businesses.

Technical Takeaways

• Dominant Activity: Leak Bazaar and Lynx were the most active ransomware groups, responsible for 70% of new victims in the last 24 hours. This shows their current high operational tempo.
• Geographic Concentration: North America, specifically the United States, accounted for over 50% of the newly reported ransomware victims. It remains a primary target region.
• Targeted Verticals: While Financial Services and Technology / Software had concentrated attacks, the overall distribution across industries remained broad. This suggests opportunistic rather than highly specialized targeting for most groups.
• Supply Chain Exploitation: Recent news shows an ongoing focus on supply chain vulnerabilities. Ransomware groups use breaches in IT service providers to gain access to multiple downstream clients.

FAQ

Q: Which ransomware groups were most active in the past 24 hours?

Leak Bazaar and Lynx were the most active ransomware groups. Leak Bazaar reported 9 victims, and Lynx reported 8. They accounted for over 70% of all observed ransomware activity during this period.

Q: What industries were primarily targeted by ransomware today?

Financial Services and Technology / Software were the most frequently targeted sectors, and multiple incidents were reported. Today's data also shows various single-victim attacks across industries like Education, Legal Services, Professional Services, and Media & Entertainment.

Q: Which geographic regions experienced the most ransomware attacks today?

The United States was the most targeted country, reporting 13 new victims. The United Kingdom followed with 4 victims, while Spain, Germany, United Arab Emirates, Taiwan, Singapore, and India each reported 1 or 2 incidents.

Q: Are there any newly exploited vulnerabilities or specific CVEs associated with today's ransomware activity?

Based on the provided intelligence for May 10, 2026, no new specific CVEs have been publicly identified or confirmed as actively exploited by ransomware operators in the reported incidents. However, recent attacks show supply-chain risks and initial access via credential theft and data exfiltration.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform. It covers every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents 24/7 in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/09/2026

Statistical Overview

Victim Totals

• This month: 260
• This quarter: 1039
• Year to date: 3656
• Last 24h: 36

Quarterly Breakdown

Ransomware activity remains consistent, with Q2 already reflecting a significant portion of Q1's total victims despite being an incomplete quarter. The past 24 hours saw 36 new victims. For more details on current trends, see our latest Q2 ransomware activity report.

Introduction

The past 24 hours recorded 36 new ransomware victims, showing consistent activity. "The Gentelman" and Qilin were the most active groups, collectively accounted for over half of the new compromises. While targeting was geographically diverse, the United States was the primary victim country, with Construction and Technology / Software were frequently impacted sectors.

Ransomware Summary Table

The latest 24-hour period showed continued high activity from "The Gentelman" and Qilin, with 10 and 9 victims respectively. Genesis also showed moderate activity with 5 new victims, primarily in the United States and Canada. Key sectors targeted include Construction & Engineering, Transportation & Logistics, and Technology / Software. These ransomware operators used a broad-spectrum approach. For more information on active groups like "The Gentelman" and Qilin, see our recent report on new ransomware victims. No government, military, or critical infrastructure entities were identified among the sample victims listed today.

Victim Distribution

By Country

• United States: 19
• India: 2
• Germany: 2
• Venezuela: 1
• Argentina: 1
• United Kingdom: 1
• Spain: 1
• Poland: 1
• None: 1
• Nigeria: 1

By Industry

• Construction: 5
• Machinery Manufacturing: 2
• Chemical Manufacturing: 2
• Financial Services: 1
• Civil Engineering and Land Surveying: 1
• Clinical Research: 1
• Construction and Building Materials: 1
• Consulting: 1
• Design Services: 1
• Education: 1

The United States was the primary target of ransomware attacks, accounting for over half of all victims today. The concentration in Construction and related industries suggests either opportunistic targeting or a focused campaign against this sector.

Ransomware News

Topline

Recent intelligence reveals a re-compromise of a major educational platform and the release of important security patches for widely used web hosting software.

Campaigns & Operations

ShinyHunters has claimed a second successful breach against Instructure's Canvas LMS, alleging theft of approximately 3.65 TB of data, affecting around 275 million individuals from nearly 9,000 institutions. This re-exploitation happened despite Instructure's earlier claims of containment. The group has pushed a new leak deadline. Instructure has temporarily shut down Free-For-Teacher accounts to address issues. This persistent targeting of an educational platform shows the significant data breach risks the sector faces.

Vulnerabilities & TTPs

cPanel and WHM have released fixes for three vulnerabilities: CVE-2026-29201 (CVSS 4.3), CVE-2026-29202 (CVSS 8.8), and CVE-2026-29203 (CVSS 8.8). These range from arbitrary file reads to arbitrary Perl code execution and unsafe symlink handling. These could lead to denial-of-service or privilege escalation. While no public exploitation is confirmed, these patches follow recent CVE-2026-41940 zero-day activity involving Mirai and ransomware, showing the importance of timely patching for web infrastructure.

Analyst Note

These developments show a dual threat: persistent re-exploitation of enterprise applications and the continuous discovery and patching of important vulnerabilities in widely deployed software.

Technical Takeaways

1. "The Gentelman" and Qilin groups maintained high activity, accounting for over half of new compromises.
2. The Construction sector and related industries (Civil Engineering, Building Materials) were consistently targeted, reporting 5 victims.
3. The United States accounted for 19 out of 36 new victims, becoming a primary target geography.
4. Vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) in cPanel/WHM show ongoing risks to web infrastructure.
5. ShinyHunters' re-exploitation of Instructure shows persistent threat actor capabilities and challenges in incident response.

FAQ

Which ransomware groups were most active in the last 24 hours?

"The Gentelman" was the most active group, responsible for 10 new victims, followed closely by Qilin with 9 victims. Genesis recorded 5 new victims during this period.

What industries were most targeted by ransomware today?

The Construction sector experienced the highest number of attacks, with 5 victims reported. Other targeted industries included Machinery Manufacturing, Chemical Manufacturing, and Technology / Software.

Which geographic regions saw the most ransomware attacks today?

The United States was overwhelmingly the most targeted country, accounting for 19 of the 36 new victims. India and Germany each reported 2 victims, while other countries saw single incidents.

Have there been any new vulnerabilities relevant to ransomware identified recently?

Yes, cPanel and WHM released patches for three vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. These could lead to arbitrary file reads, code execution, or privilege escalation, and their patching is important to prevent potential ransomware-related exploitation.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

- Ransomware Tracking

- Dark Web Monitoring

- Credential Intelligence

- Supply Chain Risk

- All Solutions

Ransomware Report - 05/08/2026

Statistical Overview

Victim Totals

• This month: 226
• This quarter: 1005
• Year to date: 3622
• Last 24h: 26

Quarterly Breakdown

Q2 ransomware activity counts 1,005 victims, a decrease from Q1's 2,622. The year-to-date total is 3,622, with 26 new victims in the past 24 hours.

Introduction

PurpleOps recorded 26 new ransomware victims in the past 24 hours. This shows continued activity among various threat groups. LockBit was the most active group with five victims, followed by INC_Ransom (4), Akira (3), Play News (3), and Qilin (2). Attacks targeted diverse industries, affecting manufacturing, healthcare, and construction & engineering sectors, mostly in North America and parts of Asia. For more on recent trends, see our Ransomware Victims Update - May 07.

Ransomware Summary Table

LockBit remained the most active group in the last 24 hours, ahead of INC_Ransom and Akira. Manufacturing, construction, and healthcare were frequent targets, showing attacks across many industries by several threat groups. The United States and Canada reported the most incidents. More on LockBit and Qilin's activities is in our Ransomware Threat Activity Update - May 01. Detailed analysis of INC_Ransom and Akira is available in our CVE-2025-5777 Ransomware Breach report.

Victim Distribution

By Country

• United States: 10
• Canada: 3
• None: 2
• Taiwan: 1
• Thailand: 1
• Australia: 1
• Switzerland: 1
• Peru: 1
• Japan: 1
• Jamaica: 1

By Industry

• Industrial Machinery & Equipment: 2
• None: 2
• Machinery Manufacturing: 1
• Software Development: 1
• Self-Storage: 1
• Real Estate: 1
• Precision Machining: 1
• Insurance: 1
• HVAC Distribution: 1
• Healthcare: 1

The United States is the primary target for ransomware attacks, with 10 reported victims. Beyond the U.S., activity spread geographically, with several countries reporting single incidents and no single industry showing overwhelming concentration in this 24-hour period.

Ransomware News

Topline

The past 24 hours brought varied ransomware developments, including data extortion claims against cybersecurity firms, nation-state false-flag operations, and several incidents affecting Japanese organizations.

Campaigns & Operations

RansomHouse, a data-extortion group, claimed a breach of cybersecurity firm Trellix, alleging access to source code and appliance management systems. Trellix confirmed unauthorized access to a portion of its source code repository but found no evidence of compromised release processes. ShinyHunters defaced the Canvas LMS portal, claiming exfiltration of 3.65TB from nearly 9,000 institutions. This group uses an extortion and credential theft model instead of encryption. In Japan, several organizations reported ransomware incidents. These include Shin-Facom Co., Ltd., F1 Corporation's contractor (with potential PII exfiltration for 285 customers), and Medica Publishing. All these incidents occurred around mid-April, and investigations into data impact are ongoing.

Vulnerabilities & TTPs

Rapid7 researchers identified Iranian MOIS-backed MuddyWater using Chaos ransomware as a false-flag cover for espionage and data theft. This operation began with Microsoft Teams social engineering to obtain VPN credentials, followed by remote management tool deployment and data leak threats. It is significant because it lacks encryption and uses ransomware tooling to obscure state-driven objectives.

Analyst Note

The activity shows more complex motivations among threat actors. They combine traditional data encryption with data exfiltration and false-flag operations to achieve various strategic goals.

Technical Takeaways

• Wider Geographic Targeting: The United States is still a primary target, but victims are spread across Canada, Japan, Australia, and parts of Europe and Latin America, showing ransomware groups target many regions.
• Established Groups Remain Active: LockBit continues its high activity, with 5 new victims, showing it persists despite ongoing law enforcement operations.
• Encryption and Extortion Threats: News items show data exfiltration and extortion (e.g., RansomHouse, ShinyHunters) are as common as traditional encryption-based ransomware, presenting substantial data breach risks.
• False-Flag Operations: MuddyWater's use of Chaos ransomware as a false-flag for espionage shows advanced tactics to hide attribution and blends cybercrime with state-sponsored activity.
• Manufacturing Remains a Target: Manufacturing appears on multiple groups' victim lists (Akira, Play News, Qilin, 3AM), which suggests the industry continues to be vulnerable.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

LockBit was the most active group, reporting five new victims. Following LockBit, INC_Ransom claimed four victims, while Akira and Play News each listed three. Qilin reported two new victims.

Q: What industries were most targeted by ransomware in the last 24 hours?

Manufacturing, including Industrial Machinery & Equipment, Machinery Manufacturing, and Precision Machining, together accounted for many incidents. Other targeted sectors included healthcare, construction & engineering, and real estate.

Q: Which countries reported the highest number of ransomware victims today?

The United States reported the highest number of victims with 10 incidents. Canada followed with 3 victims, while Australia, Japan, Switzerland, Peru, Thailand, Jamaica, and Taiwan each reported one victim.

Q: Were there any notable ransomware campaigns or technical insights reported today?

Yes, developments include Iranian state-sponsored group MuddyWater using Chaos ransomware as a false-flag for espionage and data theft. Also, groups like RansomHouse conducted data extortion against Trellix, and ShinyHunters targeted Canvas LMS portals.

About PurpleOps

PurpleOps is a cyber threat intelligence platform that uses AI, covering every threat vector from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

See our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/07/2026

Statistical Overview

Victim Totals

• This month: 201
• This quarter: 980
• Year to date: 3598
• Last 24h: 34

Quarterly Breakdown

Q1: 2622 | Q2: 980 | Q3: 0 | Q4: 0

Ransomware victim counts continue to accumulate in Q2. Today's activity shows consistent pressure on various sectors globally. For more context on recent trends, see our Ransomware Victims Q2 May 06 report.

Introduction

The past 24 hours saw 34 new ransomware victims reported. This shows sustained activity across multiple threat groups. SafePay was the most active group with 9 new victims, closely followed by Qilin with 8. Targets included Legal Services, Professional Services, and Retail & Ecommerce sectors, with the United States experiencing the highest concentration of attacks.

Ransomware Summary Table

SafePay and Qilin demonstrated the highest activity over the last 24 hours, collectively accounting for 17 of the 34 new victims. LeakedData continued its focus on the Legal sector, while M3RXDLS targeted Retail & Ecommerce and Professional Services. This pattern is consistent with recent observations in our M3RXDLS ransomware threat activity report. Geographically, the United States remained the primary target, alongside scattered activity across Europe and South America. Further details on groups like Qilin and SafePay can be found in our ransomware victim summary from May 05.

Victim Distribution

By Country

• United States: 16
• Italy: 4
• United Kingdom: 3
• Germany: 3
• Thailand: 1
• Australia: 1
• Switzerland: 1
• Spain: 1
• Paraguay: 1
• Denmark: 1

By Industry

• Legal Services: 6
• Law Practice: 3
• Transportation, Automotive & Logistics: 1
• Pharmaceutical Manufacturing: 1
• Local Trucking, Without Storage: 1
• IT Services and Systems Integration: 1
• General Engineering and Construction: 1
• Foodservice Design and Consulting: 1
• Facilities Services: 1
• Construction Training and Apprenticeship: 1

The concentration of attacks on the United States and the Legal sector suggests a continued focus on economically significant regions and industries that handle sensitive data. This shows persistent targeting of professional services.

Ransomware News

Topline

Ransomware-related disclosures over the past 24 hours show ongoing supply chain vulnerabilities, targeted data exfiltration campaigns, and the deceptive use of ransomware branding by state-sponsored actors.

Campaigns & Operations

Multiple Japanese organizations, including Nambu Corporation, Nippon Telenet, and Hotel Okura Fukuoka, reported ransomware incidents in March and April 2026. These incidents used compromises of outsourcing partners or cloud-based systems, which led to potential personal and customer data exposure. Separately, Australian car-parts importer Strategic Imports was breached by MedusaLocker, while energy management firm Energy Action was listed on SafePay's dark web leak site following a data exfiltration event. ASEC's Week 1 May 2026 report noted cross-border activity, including BlackWater targeting a Chinese auto parts manufacturer and Guatemalan government data sales.

Vulnerabilities & TTPs

MedusaLocker is known to exploit exposed RDP configurations and phishing campaigns for initial access. The Iranian APT MuddyWater was observed masquerading as Chaos ransomware activity. It employed high-touch social engineering via Microsoft Teams for credential harvesting and MFA manipulation. This was followed by data exfiltration and long-term persistence via DWAgent rather than encryption. This tactic also showed MuddyWater-style certificates and infrastructure, with a victimology shift towards the Middle East, North Africa, and Southeast Asia.

Analyst Note

These events collectively show the significant impact of supply chain compromises and the evolving tactics of threat actors who use ransomware as a cover for more sophisticated data exfiltration and intelligence-gathering operations.

Technical Takeaways

• Geographic Focus: The United States remains a primary target, making up nearly half of all new victims in the last 24 hours.
• Industry Preference: Legal Services and Professional Services are consistently important targets, likely due to access to sensitive client data.
• Supply Chain Exploitation: Recent incidents in Japan show a recurring theme of threat actors compromising third-party vendors and cloud systems to reach primary targets.
• APT Blurring: The use of ransomware branding by advanced persistent threat (APT) groups like MuddyWater shows a strategic shift towards using ransomware as a deceptive tactic for data exfiltration and long-term persistence.
• Common TTPs: Initial access vectors continue to include common methods like exposed RDP and phishing campaigns, as observed with MedusaLocker activity.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

SafePay reported 9 new victims and Qilin reported 8. They were the most active ransomware groups in the past 24 hours based on victim disclosures. LeakedData followed with 6 new victims.

Q: What industries were most targeted by ransomware today?

Legal Services and Law Practice combined account for 9 victims. This makes the legal sector the most heavily targeted industry today. Professional Services also saw significant activity with 5 victims from various groups.

Q: Which countries experienced the highest number of ransomware attacks today?

The United States reported 16 new ransomware victims, which is the highest number of attacks by country in the last 24 hours. Italy, the United Kingdom, and Germany followed with 4 and 3 victims each, respectively.

Q: Were there any new ransomware groups identified or important changes in TTPs?

While no entirely new ransomware groups were identified today, the Iranian APT MuddyWater was observed operating under the Chaos ransomware brand. This is an important change in TTPs, as the group used high-touch social engineering and MFA bypass for data exfiltration and persistence, using ransomware as a cover rather than a primary encryption method.

About PurpleOps

PurpleOps is a cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/06/2026

Statistical Overview

Victim Totals

• This month: 167
• This quarter: 947
• Year to date: 3565
• Last 24h: 70

Quarterly Breakdown

Ransomware victim counts for Q2 currently stand at 947, showing sustained activity after Q1's 2622 recorded incidents. The past 24 hours alone contributed 70 new victims, indicating continued operations.

Introduction

The past 24 hours saw 70 new ransomware victims added to leak sites, maintaining a consistent threat environment. The_Gentelman was the most active group, claiming 27 victims, followed by Medusa Locker with 18. Other active groups included Meduza, Sinobi, and Akira. Geographically, the United States, Japan, and India were impacted, and the Education and Automotive sectors saw significant targeting.

Ransomware Summary Table

The_Gentelman led ransomware activity in the last 24 hours, responsible for 27 new victim postings in sectors like Education and Pharmaceuticals & Biotech, focusing on Japan and India. For more details on groups such as The_Gentelman and Sinobi, refer to our daily ransomware report from January 12, 2026. Medusa Locker followed with 18 victims, mainly impacting Automotive and Education entities in Brazil and Costa Rica; more information about active groups like Medusa Locker can be found in our previous reports. Other groups included Meduza (7 victims), Sinobi (5 victims, in India and the United States), and Akira (4 victims, targeting Financial Services and Healthcare). Qilin claimed "Le maire de quiberon" (The Mayor of Quiberon) in France, showing persistent targeting of the Government/Public Sector.

Victim Distribution

Which countries were most affected by ransomware today?

• United States: 22
• Italy: 5
• United Kingdom: 4
• Canada: 4
• Taiwan: 3
• United Arab Emirates: 2
• India: 2
• France: 2
• Brazil: 2
• Australia: 2

What industries did ransomware groups target?

• Manufacturing: 5
• Education: 5
• Software Development: 4
• Pharmaceutical Manufacturing: 2
• Healthcare: 2
• Architecture, Engineering & Design: 1
• Accounting and Financial Services: 1
• Public Relations and Communications Services: 1
• Line marking and surface coating: 1
• Environmental Services: 1

The United States was the most frequently targeted nation, accounting for 22 victims. Italy, the United Kingdom, and Canada also saw activity. Manufacturing and Education were the most impacted industries, each registering 5 victims. This shows broad and diverse targeting by ransomware groups.

Ransomware News

Topline

Today's ransomware-relevant developments include significant breach disclosures, changes in attack methods by state-sponsored actors, and continued legal action against cybercriminals.

Campaigns & Operations

Rapid7 researchers reported MuddyWater disguising its intrusions as Chaos ransomware operations. They used Microsoft Teams for social engineering and deployed decoys for broader cyber-espionage. ShinyHunters reportedly breached Instructure's Canvas LMS, exfiltrating approximately 275 million student, teacher, and staff records across 8,809 affected institutions. A production halt at Foxconn's Mount Pleasant, Wisconsin facility, citing abnormal network issues, is suspected to be a cybersecurity incident consistent with an OT/ICS disruption.

Vulnerabilities & TTPs

Reports state that ransomware attacks often succeed because attackers deliberately expose, access, and destroy backups, not just due to their absence. Threat Activity Enablers (TAEs), infrastructure providers operating through shell entities, continue to sustain various ransomware and state-sponsored campaigns. Insider threats also contribute to data broker breaches, as seen with National Public Data's 2.9 billion record exposure and an IT administrator holding systems for ransom. Ransomware incidents in 2024, while fewer, saw more severe breaches with increased ransom payments. Small organizations and email/phishing were primary targets.

Analyst Note

These developments show the connection between state-sponsored and financially motivated actors, the pervasive data supply chain threat, and ongoing efforts to prosecute ransomware affiliates globally, as evidenced by the sentencing of a Latvian national involved in Conti-led operations.

Technical Takeaways

• New Groups Led Activity: The_Gentelman was the most active group in the last 24 hours with 27 victims, outnumbering other established groups.
• Education Sector Still Targeted: Education continued to be a primary target, appearing among the top sectors for victim counts (5 victims), with examples from The_Gentelman and Medusa Locker.
• Geographic Spread Across APAC and Americas: Ransomware activity showed a wide geographic spread, impacting countries like Japan, India, Brazil, and Canada, alongside persistent targeting in the United States.
• Government Sector Targeted: Qilin's targeting of "Le maire de quiberon" (Government/Public Sector, France) shows ongoing threat actor interest in public institutions.
• Backup Destruction Tactics Change: Recent intelligence shows attackers' deliberate strategies to compromise and destroy backups. This demonstrates the need for advanced data resilience.

FAQ

Which ransomware groups were most active in the past 24 hours?

The_Gentelman was the most active group, claiming 27 victims. Medusa Locker followed with 18 victims. Meduza, Sinobi, and Akira also reported activity.

What industries did ransomware groups target?

Manufacturing and Education sectors were equally impacted, each reporting 5 new victims. Other sectors with activity included Software Development, Pharmaceutical Manufacturing, and Healthcare.

Which countries experienced the highest number of ransomware attacks in the last 24 hours?

The United States recorded the highest number of new victims with 22. Italy, the United Kingdom, and Canada each reported 4 victims. This indicates a broad geographic spread of attacks.

Were any government entities targeted by ransomware today?

Yes, the Qilin ransomware group claimed "Le maire de quiberon" (The Mayor of Quiberon) in France, showing continued targeting of the Government/Public Sector.

What emerging ransomware tactics were highlighted in recent news?

Recent intelligence showed MuddyWater using Chaos ransomware as a decoy for cyber-espionage and attackers actively targeting and destroying backups to hinder recovery efforts.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/05/2026

Statistical Overview

Victim Totals

• This month: 97
• This quarter: 854
• Year to date: 3472
• Last 24h: 30

Quarterly Breakdown

Q2 activity continues to add to the year-to-date total, showing a consistent threat situation with 854 victims this quarter and 3472 year-to-date. For more on recent activity, see our latest ransomware victims report.

Introduction

In the past 24 hours, 30 new ransomware victims were reported across various leak sites. Qilin reported 8 new victims, SafePay 6, and INC_Ransom 3, leading the activity. The United States remained the primary geographic target. Financial services and professional services sectors were significantly targeted, along with retail.

Ransomware Summary Table

Qilin was the most active group, primarily targeting financial services and legal sectors across Spain and Ukraine. SafePay was also active, affecting professional services and government entities in Sweden and Japan. The United States remains a focal point for groups like INC Ransom, Akira, and Chaos, showing a diverse range of targets. Qilin notably targeted the Standard-Examiner today, as reported in recent news, which may show a possible focus on media entities. Everest Group claims regarding Liberty Mutual data also point to ongoing pressure on large insurers, though Liberty Mutual attributes this to a third-party vendor incident. For more on active groups like Qilin, SafePay, Akira, and INC_Ransom, see our daily ransomware reports.

Victim Distribution

By Country

• United States: 15
• Canada: 2
• Italy: 2
• Ukraine: 1
• Thailand: 1
• Sweden: 1
• Spain: 1
• Portugal: 1
• Mexico: 1
• Japan: 1

By Industry

• Law Firms & Legal Services: 2
• Construction: 2
• Home Improvement & Hardware Retail: 2
• Automotive: 1
• Specialty Industrial Machinery: 1
• Social Services: 1
• Religious Travel and Tourism: 1
• Real Estate: 1
• Non-Profit & Charitable Organizations: 1
• Investment Management: 1

The United States remains the predominant target, accounting for half of the reported victims in the last 24 hours. Industry distribution is fragmented, with legal services, construction, and retail showing slightly higher victim counts. This suggests opportunistic targeting across various small to medium-sized enterprises.

Ransomware News

Ransomware activity today includes new attacks, significant data leaks, critical vulnerability exploitation, and significant law enforcement action against an extortion group. Rootboy conducted a three-week assault on Standard Bank (South Africa) and Liberty, exfiltrating 1.2 TB of data and over 154 million SQL rows. In Germany, 4SELLERS, an e-commerce solutions provider, experienced a targeted ransomware attack. Champion Homes (Sydney) confirmed a cyber event linked to the DragonForce ransomware operation, resulting in a 44-gigabyte dataset published to the dark web. The Everest Group began leaking what it claims is 108 GB of Liberty Mutual data, following an alleged failure to meet demands, though Liberty Mutual attributes this to a third-party vendor incident. The Qilin ransomware group listed STANDARD-EXAMINER on its leak site after the paper reported production difficulties. Separately, the VENOMOUS#HELPER phishing campaign impacted over 80 organizations, mainly in the U.S., deploying SimpleHelp RMM via compromised domains. Law enforcement efforts saw Latvian national Deniss Zolotarjovs, a Karakurt extortion negotiator, sentenced to 8.5 years for conspiracy to commit wire fraud and money laundering, marking the first U.S. sentencing of a Karakurt member.

A critical authentication-bypass flaw, CVE-2026-41940 in cPanel/WHM/WP Squared, was weaponized within hours of disclosure, leading to botnet deployment and ransomware encrypting files with a .sorry extension. Progress Software patched critical MOVEit Automation vulnerabilities, CVE-2026-4670 (authentication bypass) and CVE-2026-5174 (privilege escalation), in MOVEit Automation. New intelligence details how infostealers act as a major initial attack vector that fuels ransomware campaigns. For more details on Qilin activity and cPanel vulnerabilities, see our report from May 3rd.

Technical Takeaways

• Broadened Initial Access: The VENOMOUS#HELPER phishing campaign's use of dual-channel RMM tools (SimpleHelp and ScreenConnect) shows complex initial access broker tactics designed for redundancy and evasion.
• Rapid CVE Exploitation: The immediate weaponization of CVE-2026-41940 in cPanel/WHM/WP Squared within hours of disclosure shows the urgency for patch deployment, especially for critical authentication bypass flaws.
• Infostealer Nexus: New intelligence confirms infostealers as a significant initial attack vector for ransomware, showing the importance of credential intelligence in preventing attacks.
• Diverse Sector Targeting by Top Groups: Qilin and SafePay showed broad targeting across financial services, legal, professional services, and government sectors, which shows a non-discriminatory approach to victim selection.
• Third-Party Risk: Multiple incidents, including the alleged Liberty Mutual data leak linked to a third-party vendor, emphasize the challenge of managing supply chain risk for organizations.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active group with 8 new victims, followed by SafePay with 6 victims, and INC_Ransom with 3 victims. Akira and Chaos each reported 2 new victims.

Q: What geographic regions experienced the most ransomware attacks today?

The United States was the most targeted country, accounting for 15 of the 30 new victims. Canada, Italy, Ukraine, Thailand, Sweden, Spain, Portugal, Mexico, and Japan each saw 1 to 2 reported incidents.

Q: Which industries were most frequently targeted by ransomware in this period?

Industry targeting was diverse, with Law Firms & Legal Services, Construction, and Home Improvement & Hardware Retail each reporting 2 victims. Other industries such as Automotive, Financial Services, and Non-Profit Organizations also experienced attacks.

Q: Were any new critical vulnerabilities exploited by ransomware operators today?

Yes, the critical authentication-bypass flaw CVE-2026-41940 in cPanel/WHM/WP Squared was weaponized within hours of its disclosure, leading to ransomware deployments. Progress Software also patched critical authentication bypass (CVE-2026-4670) and privilege escalation (CVE-2026-5174) vulnerabilities in MOVEit Automation.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/04/2026

Statistical Overview

Victim Totals

• This month: 67
• This quarter: 824
• Year to date: 3442
• Last 24h: 7

Quarterly Breakdown

Q1: 2622 | Q2: 824 | Q3: 0 | Q4: 0

The daily victim count of 7 indicates a steady pace, contributing to a solid Q2 total that, while currently lower than Q1, suggests consistent ransomware pressure across diverse sectors.

Introduction

In the last 24 hours, seven new ransomware victims have been observed, continuing a consistent operational tempo for threat actors. Key groups such as Lamashtu, DragonForce, INC Ransom, Interlock, and Qilin accounted for the majority of these incidents. The primary affected sectors included Hospitality & Travel, Financial Services, Pharmaceuticals & Biotech, and government infrastructure.

Ransomware Summary Table

The past 24 hours show Lamashtu leading with two new victims across Egypt and the UAE, primarily targeting Hospitality & Travel and Pharmaceuticals & Biotech. Other active groups, including DragonForce, INC Ransom, Interlock, Qilin, and Space Bears, each claimed one victim, contributing to diverse attacks. Qilin's targeting of the City of Sandstone in the United States represents a focus on the government/public sector, a high-value target category due to its critical services and sensitive data, similar to recent activities as detailed in our ransomware threat activity updates.

Victim Distribution

By Country

• United States: 3
• Egypt: 1
• The Bahamas: 1
• United Arab Emirates: 1
• United Kingdom: 1

By Industry

• Pharmaceuticals and Cosmetics: 1
• Construction and Technology: 1
• Hospitality: 1
• Financial Services: 1
• Government: 1
• Pharmaceuticals: 1
• Transportation/Trucking/Railroad: 1

The distribution shows a primary focus on the United States and diversified international targeting. Ransomware groups use a broad opportunistic approach across varied industries rather than concentrating heavily on a single sector.

Ransomware News

The threat environment is dynamic, marked by new ransomware operations and the exploitation of critical vulnerabilities. This week saw World Leaks, a rebrand of Hunters International focusing on data theft, claim a breach of Hungarian media firm Mediaworks, publishing approximately 8.5 terabytes of stolen files with potential geopolitical implications. Separately, the Kairos ransomware gang exfiltrated 574GB of sensitive data, including customer PII and passport details, from Australian fine jewellery retailer Gregory Jewellers. The VECT 2.0 Ransomware-as-a-Service operation has been identified as a data-wiper targeting Windows, Linux, and ESXi environments, rendering data irrecoverable even upon ransom payment due to inherent cryptographic flaws. Insider threats continue to be a concern, with a 2020 plot against Tesla networks, involving a $1 million offer to an employee to plant malware, successfully thwarted through rapid reporting and FBI collaboration.

Technical developments include the rapid weaponization of a critical cPanel/WHM vulnerability, CVE-2026-41940, enabling authentication bypass and remote control. Threat actors quickly exploited this flaw to target government and military domains in Southeast Asia, as well as MSPs and hosting providers, using publicly available Proof-of-Concepts and deploying Mirai botnet variants and the Sorry ransomware. The Linux privilege escalation vulnerability CVE-2026-31431 (Copy Fail) and a GitHub remote code execution flaw CVE-2026-3854 have emerged as significant exposures. The ongoing proliferation of AI-powered phishing campaigns, exemplified by kits like Bluekit, continues to enhance social engineering tactics, while TeamPCP-led supply-chain compromises are distributing malware through developer tools.

These incidents collectively show a persistent blend of advanced social engineering, critical vulnerability exploitation, specialized data exfiltration, and other tactics driving current ransomware operations. This situation requires strong threat intelligence and proactive defense strategies, a topic frequently covered in our new ransomware victims reports.

Technical Takeaways

• Data-Wiping Ransomware: The analysis of VECT 2.0 shows a dangerous trend of ransomware variants designed to irrevocably destroy data, negating any recovery prospects even if a ransom is paid.
• Rapid Weaponization of Critical Vulnerabilities: The cPanel/WHM vulnerability (CVE-2026-41940) was rapidly exploited by multiple actors, including ransomware groups like Sorry, to target government entities and MSPs within 24 hours of disclosure.
• Persistent Targeting of Government and Critical Sectors: Groups like Qilin continue to target public sector institutions, as seen with the City of Sandstone incident. Broader exploitation campaigns also target government and military domains in Southeast Asia. For more context on such targeting, refer to our previous analysis on Qilin ransomware and cPanel exploitation.
• Initial Access Tactics: AI-powered phishing campaigns and supply-chain compromises via developer tools by actors like TeamPCP show a shift towards more sophisticated and scalable initial access vectors.
• Insider Threat: The thwarted Tesla plot demonstrates the persistent risk of insider threats. Employee vigilance and reporting mechanisms are important in preventing ransomware attacks.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Lamashtu was the most active group, observed with two new victims. Other groups, including DragonForce, INC Ransom, Interlock, Qilin, and Space Bears, each claimed one victim during this period.

Q: What industries did ransomware actors primarily target today?

Today's targeting was diverse, with significant incidents observed in Hospitality & Travel, Pharmaceuticals & Biotech, Financial Services, Professional Services, Transportation & Logistics, and the Government/Public Sector.

Q: Were any government entities targeted by ransomware today?

Yes, the City of Sandstone in the United States was targeted by the Qilin ransomware group. The cPanel/WHM vulnerability (CVE-2026-41940) was also rapidly weaponized against government and military domains in Southeast Asia.

Q: What critical vulnerabilities are currently being exploited by ransomware operators?

A critical vulnerability in cPanel/WHM, CVE-2026-41940, enabling authentication bypass and remote control, is currently being weaponized by threat actors, including those deploying the Sorry ransomware. Other vulnerabilities include Linux exploit CVE-2026-31431 and GitHub RCE CVE-2026-3854.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/03/2026

Statistical Overview

Victim Totals

• This month: 60
• This quarter: 817
• Year to date: 3435
• Last 24h: 13

Quarterly Breakdown

Ransomware activity continues with 13 new victims in the last 24 hours, bringing the total to 60 victims this month. Q2 figures currently trail Q1's high volume, but sustained daily operations show threat actors continue pressure across various sectors, as detailed in our Breach Detection Report for May 3rd.

Introduction

In the past 24 hours, ransomware activity saw 13 new victims posted to leak sites. The Qilin group was active, accounting for six of these incidents, followed by M3RXDLS and SLSH. Targeting primarily concentrated on the United States, with Canada and Germany also affected. The technology and financial technology sectors bore the brunt of these attacks, alongside other industries.

Ransomware Summary Table

Today's activity was led by Qilin, responsible for nearly half of all reported incidents. Previous analyses, such as our Ransomware Threat Activity Update on May 1st, show Qilin continues to target broadly across North America. M3RXDLS also showed activity, impacting technology and construction firms, aligning with previous observations detailed in our M3RXDLS Ransomware Threat Activity report from April 26th. The Everest group attacked Fiserv, a major financial technology corporation in the United States, an incident that shows persistent pressure on critical financial infrastructure.

Victim Distribution

By Country

• United States: 10
• Canada: 2
• Germany: 1

By Industry

• Construction: 1
• Quantum Computing: 1
• Information Technology: 1
• Architectural Signage Design and Fabrication: 1
• Educational Technology: 1
• Financial Technology: 1
• Healthcare: 1
• HVAC Services: 1
• Manufacturing - Custom Machinery: 1
• Newspaper Publishing: 1

The United States remains the primary target, accounting for most of today's ransomware victims. While a range of industries were impacted, the concentration of attacks within various technology sub-sectors (Information Technology, Educational Technology, Financial Technology, Quantum Computing) shows these entities hold continued high value for ransomware operators.

Ransomware News

Topline

A critical cPanel/WHM authentication bypass vulnerability, CVE-2026-41940, has been under mass exploitation in the wild, leading to widespread "Sorry" ransomware attacks.

Campaigns & Operations

The "Sorry" ransomware campaign has actively used a critical cPanel/WHM flaw, CVE-2026-41940, for mass exploitation since February. Attackers breached servers and deployed a Go-based Linux encryptor, appending the .sorry extension to encrypted files. Victims are directed to a Tox-based chat for negotiation, with Shadowserver identifying approximately 44,000 affected IP addresses.

Vulnerabilities & TTPs

The campaign exploits CVE-2026-41940, an authentication bypass vulnerability within cPanel/WHM. This involves gaining initial access through a critical software flaw to facilitate subsequent encryption and extortion.

Analyst Note

This incident shows a persistent threat actor strategy involving the mass exploitation of critical vulnerabilities in widely adopted enterprise software for initial access.

Technical Takeaways

• Qilin continues to be a very active ransomware group, diversifying its targeting across sectors like Media & Entertainment and Technology/Software in North America.
• The exploitation of CVE-2026-41940 in cPanel/WHM by the "Sorry" ransomware campaign shows a focus on mass exploitation of critical, widely used software for initial access.
• The targeting of Fiserv by Everest shows ongoing threats specifically directed at the financial technology sector, which handles sensitive data and critical infrastructure.
• Technology-related industries, broadly defined, consistently remain the most frequent targets, showing their perceived value and potential vulnerability.
• Activity includes both very active, established groups (Qilin) and emerging or less frequently observed groups (M3RXDLS, SLSH), which shows dynamic threat actor activity.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

The Qilin ransomware group was the most active in the past 24 hours, publicly claiming six new victims. Following Qilin, M3RXDLS announced three new victims, and SLSH listed two.

Q: What industries were most affected by ransomware today?

The technology sector, encompassing information technology, educational technology, financial technology, and quantum computing, was most affected today. Other affected industries included construction, healthcare, real estate, and manufacturing.

Q: What countries saw the highest ransomware victim count on 05/03/2026?

The United States recorded the highest number of ransomware victims in the last 24 hours, with 10 incidents. Canada followed with two victims, and Germany reported one.

Q: Was any new vulnerability exploited by ransomware in the last 24 hours?

Yes, a critical cPanel/WHM authentication bypass flaw, identified as CVE-2026-41940, has been mass-exploited by the "Sorry" ransomware group since February. This vulnerability allowed attackers to breach servers and deploy their Linux encryptor.

Q: Were there any high-profile ransomware victims today?

Yes, Fiserv, a major financial technology provider in the United States, was listed as a victim by the Everest ransomware group. This is a high-value target due to its critical role in financial infrastructure.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/02/2026

Statistical Overview

Victim Totals

• This month: 47
• This quarter: 804
• Year to date: 3422
• Last 24h: 35

Quarterly Breakdown

Q1: 2622 | Q2: 804 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while lower than the peak of Q1, continues to add to the year-to-date victim count. The past 24 hours observed an increase, with 35 new victims reported.

Introduction

The past 24 hours saw a rise in ransomware activity, with 35 new victims added to public leak sites. The Fulcrum group was very active, responsible for most incidents, while CMD and Everest also attacked several targets. Geographically, the United States, United Kingdom, and Germany experienced the highest concentration of targeting. Financial Services, Healthcare, and Construction & Engineering sectors were most affected by attacks. For more information on recent trends, refer to our recent general ransomware activity update.

Ransomware Summary Table

Today's ransomware activity saw Fulcrum as the primary actor, which posted 22 new victims across diverse geographies including Japan and India, primarily affecting Financial Services and Transportation & Logistics. Other groups like CMD and Everest targeted businesses in the United States, United Kingdom, and Canada, focused on Pharmaceuticals & Biotech, Construction & Engineering, and Financial Services. Our ongoing analysis, including previous reports on new ransomware victims and relevant industries, shows these key sectors remain under attack.

Notable targeting observed today includes Energyaction.com.au by SafePay, an attack on the Energy & Utilities sector in Australia, and Bomuhospital.org by Krybit, affecting the Healthcare sector in Kenya. The Everest group, which we have previously detailed in our reports on active ransomware groups, continues to target key financial service providers.

Victim Distribution

By Country

• United States: 15
• United Kingdom: 5
• Germany: 3
• Canada: 3
• Australia: 2
• None: 1
• Kenya: 1
• Japan: 1
• India: 1
• Denmark: 1

By Industry

• Software Development: 4
• Financial Services: 4
• Healthcare: 3
• Construction: 2
• Military and Government Procurement: 1
• Mining and Technology: 1
• Legal and Business Services: 1
• Landscape Architecture and Urban Design: 1
• Information and Analytics: 1
• Healthcare Technology: 1

The United States remains the primary target, with nearly half of the reported victims. However, the geographic spread across 10 countries shows ransomware operators use a broad, indiscriminate approach, with Financial Services and Healthcare consistently affected.

Ransomware News

Topline

Significant legal action against ransomware affiliates and ongoing operational disruptions from attacks show that the ransomware threat is persistent and evolving.

Campaigns & Operations

Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for acting as affiliates for the ALPHV/BlackCat ransomware group in 2023. They used their incident response and negotiation skills in a ransomware-as-a-service model, extorting over 1,000 victims globally, taking a 20% developer cut and leaking patient data. Separately, Columbia Surgical Partners in Tennessee reported inaccessible electronic health records following a ransomware incident at its parent company, Advanced Diagnostic Imaging (ADI), which disrupted access to patient charts and surgical schedules across multiple offices.

Vulnerabilities & TTPs

While specific CVEs were not reported, the ALPHV affiliate case shows the insider threat vector and the abuse of legitimate cybersecurity expertise for ransomware operations. Frontier AI models like Mythos could give attackers faster, more capable extortion methods, possibly increasing average ransom payments. This requires strong defensive strategies such as real-time microsegmentation and continuous asset visibility.

Analyst Note

These events demonstrate two challenges: sophisticated human actors in ransomware operations and the emerging threat of AI orchestrating attacks. Both contribute to the persistent risk for critical sectors.

Technical Takeaways

• Fulcrum was the most active ransomware group in the past 24 hours, responsible for 22 out of 35 reported victims.
• The United States had the highest number of ransomware victims (15), followed by the United Kingdom (5) and Canada (3).
• Financial Services and Software Development were the most targeted industries, each with 4 reported victims.
• Critical infrastructure and healthcare entities, such as Energyaction.com.au (Energy & Utilities) and Bomuhospital.org (Healthcare), were among the high-value targets.
• Several different ransomware groups, with nine distinct entities claiming victims, shows a fragmented but active threat environment.

FAQ

Q: Which ransomware groups were most active on May 2, 2026?

The Fulcrum ransomware group was the most active, responsible for 22 new victims in the last 24 hours. CMD and Everest were also active, each reporting 3 new victims.

Q: What industries did ransomware groups primarily target today?

Ransomware groups primarily targeted the Software Development and Financial Services industries, each had 4 new reported victims. Healthcare also had 3 new victims.

Q: Which countries experienced the most ransomware attacks in the last 24 hours?

The United States had the highest number of ransomware attacks with 15 victims in the last 24 hours. The United Kingdom followed with 5 victims, and Canada and Germany each reported 3 victims.

Q: Were there any notable high-value ransomware victims reported today?

Yes, high-value victims include Energyaction.com.au in Australia, which affected the Energy & Utilities sector, and Bomuhospital.org in Kenya, which affected the Healthcare sector. This shows continued targeting of critical infrastructure and services.

Q: What is the current cumulative ransomware victim count for the quarter?

As of May 2, 2026, the cumulative ransomware victim count for this quarter is 804. The year-to-date total is 3422 victims, showing ongoing high levels of ransomware activity.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

- Ransomware Tracking

- Dark Web Monitoring

- Credential Intelligence

- Supply Chain Risk

- All Solutions

Ransomware Report - 05/01/2026

Statistical Overview

Victim Totals

• This month: 12
• This quarter: 769
• Year to date: 3388
• Last 24h: 20

Quarterly Breakdown

Ransomware activity continues at a consistent pace in Q2, with 769 victims reported this quarter. While Q1 saw a higher overall volume, the current daily rate suggests a sustained threat level as the second quarter progresses.

Introduction

Over the past 24 hours, PurpleOps observed 20 new ransomware victims. The most active groups included Qilin with 7 new targets, LockBit with 4, and World_Leaks affecting 3 organizations. Attacks were geographically concentrated in the United States, with targets in the Construction, Financial Services, and Technology sectors.

Ransomware Summary Table

Today's activity shows Qilin was the most active group, claiming seven new victims primarily in the United States, with a focus on sectors like Media & Entertainment and Agriculture & Food. LockBit maintains a presence with four new victims across Turkey and Spain, impacting Construction and Technology. World_Leaks continues to target organizations like Ceywater consultants and Peyton law firm, affecting Telecommunications and Construction firms in the U.S. and Sri Lanka. For more information on active ransomware groups, see our recent report on active ransomware groups.

Victim Distribution

By Country

• United States: 13
• Spain: 2
• Canada: 1
• Turkey: 1
• Thailand: 1
• Sri Lanka: 1
• None: 1

By Industry

• Construction: 2
• Education Technology: 1
• Telecommunications: 1
• Media & Entertainment: 1
• Law Practice: 1
• Insurance: 1
• Healthcare Services: 1
• Health Insurance: 1
• Golf Courses and Country Clubs: 1
• Food & Beverage: 1

The United States remains the primary target geography, accounting for 65% of new victims in the last 24 hours. Industry targeting is diverse, with Construction appearing twice, and other sectors like Education Technology, Financial Services, and Healthcare each seeing single instances. This indicates a broad, opportunistic approach by ransomware operators rather than a narrow sector focus.

Ransomware News

Topline

Recent developments show the complexity of ransomware threats, from legal consequences for affiliates to evolving attack methods and their societal impacts.

Campaigns & Operations

Two former cybersecurity incident responders received four-year prison sentences for their involvement as BlackCat/ALPHV affiliates, conspiring to obstruct commerce by extortion. Meanwhile, the M3rx ransomware group listed Prime Properties, a Sydney-based consultancy, as a victim, claiming exfiltrated data. Cybercriminals also leaked data from a ransomware attack against Winona County, Wisconsin, which disrupted vital statistics and DMV systems. The FBI reported on a rising cargo-theft model where attackers breach freight systems to impersonate companies, post fraudulent loads, and hijack valuable cargo, sometimes demanding ransom for shipments. Reports indicate a surge in hospital ransomware attacks, with a University of Minnesota study linking such incidents to at least 47 patient deaths from 2016-2021 due to care delays.

Vulnerabilities & TTPs

The M3rx ransomware variant employs a PE32+ x64 Go binary with an embedded configuration, utilizing X25519 key exchange and AES-CTR for encryption. The FBI advisory on cargo theft outlines a method: attackers use compromised carrier accounts to spoof brokers, alter details with authorities, and hijack shipments.

Analyst Note

These incidents reflect a persistent threat environment, marked by sophisticated criminal collaboration, new groups, and attack methods that impact critical supply chains and essential services.

Technical Takeaways

• Qilin was highly active, accounting for 35% of new victims in the past 24 hours. More on recent victim trends can be found in our new ransomware victims report from April 30th.
• The United States continues to be the predominant target, with 13 of 20 victims located within the country.
• Industry targeting remains opportunistic, with Construction, Financial Services, Technology, and Healthcare sectors each experiencing multiple incidents.
• The M3rx ransomware variant utilizes a PE32+ x64 Go binary for its operations, employing specific cryptographic methods.
• Recent intelligence shows criminal TTPs have evolved to include cargo hijacking for ransom, as well as legal actions against ransomware affiliates.

FAQ

Q: Which ransomware groups were most active in the past 24 hours?

Qilin was the most active ransomware group, claiming 7 new victims. LockBit followed with 4 new victims, and World Leaks reported 3 new targets. These groups collectively accounted for over 70% of today's observed activity. For broader Q2 trends, refer to our Q2 ransomware activity report.

Q: What countries were most affected by ransomware attacks today?

The United States was the most targeted country, experiencing 13 of the 20 new ransomware attacks. Other affected countries included Spain (2 victims), and single instances in Canada, Turkey, Thailand, and Sri Lanka.

Q: Which industries were predominantly targeted by ransomware operators today?

While targeting was diverse, the Construction industry saw two new victims. Other sectors experiencing single attacks included Education Technology, Telecommunications, Media & Entertainment, Financial Services, Healthcare, and Insurance, indicating a broad scope of targeting.

Q: Were there any ransomware news developments or new TTPs reported today?

Yes, news includes the sentencing of two former cybersecurity incident responders for their involvement as BlackCat/ALPHV affiliates. The FBI also reported on a rising trend of cargo-theft where attackers hijack shipments and demand ransom, and the M3rx group was observed using a PE32+ x64 Go binary for encryption.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/30/2026

Statistical Overview

Victim Totals

• This month: 750
• This quarter: 750
• Year to date: 3369
• Last 24h: 32

Quarterly Breakdown

Q1: 2622 | Q2: 750 | Q3: 0 | Q4: 0

The first month of Q2 has seen 750 reported ransomware victims, indicating a significant pace of activity that could exceed Q1's total if current trends persist.

Introduction

In the last 24 hours, PurpleOps observed 32 new ransomware victims. Qilin was responsible for seven reported incidents, followed by The_Gentelman with five. Financial Services and Manufacturing were the main sectors impacted, and the United States registered the highest number of new attacks.

Ransomware Summary Table

Qilin continues to show activity, targeting sectors like pharmaceuticals and financial services across multiple geographies including the Philippines and Colombia. The_Gentelman also remained active, impacting financial services and retail in Sweden and Turkey. For more information on the groups operating this month, refer to our latest ransomware groups report for April 29 and a proactive threat update on Qilin. A broader view on Q2 trends can be found in our active ransomware groups Q2 report.

Victim Distribution

By Country

• United States: 16
• Italy: 3
• Zambia: 1
• Belgium: 1
• Turkey: 1
• Sweden: 1
• Poland: 1
• Philippines: 1
• Peru: 1
• Papua New Guinea: 1

By Industry

• Financial Services: 3
• Manufacturing: 3
• Real Estate: 2
• Retail: 2
• Advertising Services: 1
• Insurance: 1
• Spring and Wire Product Manufacturing: 1
• Pediatric Dentistry: 1
• Non-profit Organizations: 1
• Legal Services: 1

The United States remains the primary target for ransomware operators, accounting for half of all reported victims in the last 24 hours. Financial Services and Manufacturing continue to be consistently targeted across various regions.

Ransomware News

Topline

The past 24 hours saw several critical ransomware incidents affecting public services, educational institutions, and industrial technology firms, and a regional threat analysis showed significant increases in ransomware activity.

Campaigns & Operations

Taiwanese firm Syntec Technology Co., Ltd. disclosed a ransomware attack around April 29, 2026, which triggered immediate incident response measures, with preliminary assessments indicating no material impact on operations or confidential data leakage. Concurrently, Austria's B3-Schulzentrum in Bruck an der Mur experienced a cyberattack on April 29, 2026, where attackers demanded ransom and claimed exfiltration of sensitive student data, prompting containment and recovery efforts. In the United States, Adams County, Mississippi, offices were disrupted for over a week by a ransomware attack, traced to a Windows 7 PC in its sanitation department, leading to significant IT infrastructure overhaul costs.

Vulnerabilities & TTPs

The Adams County incident shows the risk posed by legacy operating systems like Windows 7 as initial access vectors. Separately, an analysis of the Australia and New Zealand ICS threat environment for Q4 2025 indicated a 1.6x increase in ransomware, primarily driven by internet-origin threats and coinciding with phishing campaigns that increased worm and spyware activity in operational technology environments.

Analyst Note

These incidents show the persistent threat to diverse sectors, including critical public services and education, and the ongoing challenge from outdated systems and prevalent phishing tactics.

Technical Takeaways

• Qilin ransomware group continues activity, impacting Pharmaceuticals & Biotech and Financial Services across multiple countries.
• Financial Services and Manufacturing sectors are consistently high-value targets for various ransomware groups, including The_Gentelman and PayoutsKing.
• The United States remains the most targeted region, accounting for 50% of new victims in the past 24 hours.
• Observed incidents confirm the use of legacy operating systems, such as Windows 7, as initial compromise vectors in public sector attacks.
• Regional threat reports indicate a sustained increase in internet-origin ransomware attacks, often linked to phishing campaigns, affecting industrial control systems.

FAQ

Q: Which ransomware groups were most active on April 30, 2026?

Qilin was the most active ransomware group on April 30, 2026, with seven reported victims. Following Qilin, The_Gentelman claimed five victims, and PayoutsKing was responsible for three, making them the top three most active groups observed today.

Q: What industries were most targeted by ransomware on April 30, 2026?

Financial Services and Manufacturing were the most targeted industries on April 30, 2026, each experiencing three new ransomware incidents. Other affected sectors included Real Estate, Retail, Professional Services, and Pharmaceuticals & Biotech.

Q: Which country experienced the highest number of ransomware victims in the last 24 hours?

The United States reported the highest number of ransomware victims in the last 24 hours, with 16 new incidents. This accounts for half of all reported victims, indicating a significant focus by ransomware operators on U.S. entities.

Q: Were there any notable attacks on government or critical infrastructure today?

Yes, Adams County, Mississippi, experienced a ransomware attack that disrupted county offices for over a week, leading to a significant IT overhaul. Additionally, the B3 School Center in Austria suffered a cyberattack with ransom demands and claims of student data exfiltration.

Q: What are the latest ransomware activity trends in Australia and New Zealand?

According to a Q4 2025 report, Australia and New Zealand's ICS threat environment saw a 1.6x increase in ransomware activity. These attacks were primarily internet-origin driven and coincided with phishing campaigns that increased worm and spyware presence in OT environments, with New Zealand leading in ransomware detections.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/29/2026

Statistical Overview

Victim Totals

• This month: 718
• This quarter: 718
• Year to date: 3337
• Last 24h: 23

Quarterly Breakdown

Q1: 2622 | Q2: 718 | Q3: 0 | Q4: 0

Ransomware activity continues into Q2, with 718 victims recorded this quarter after 2622 in Q1. This shows organizations globally face ongoing attacks.

Introduction

In the past 24 hours, 23 new ransomware victims appeared on leak sites. Aur0ra and Qilin were the most active groups, each claiming six targets. Other groups included INC_Ransom, M3RXDLS, and Blackwater. The United States remained the primary geographic target, and sectors like Transportation & Logistics, Education, and Government saw activity.

Ransomware Summary Table

Aur0ra and Qilin were most active today, each claiming six victims across various sectors and regions. Aur0ra focused on Transportation & Logistics and Legal firms in the United States and Australia. Qilin affected Education and Construction & Engineering in the United Kingdom and United States. Everest targeted Indonesia's customs analytics platform, showing ongoing attacks on public-sector infrastructure. For more on Qilin's recent activities, see our ransomware threat activity update.

Victim Distribution

By Country

• United States: 13
• Australia: 2
• United Kingdom: 2
• Taiwan: 1
• Maldives: 1
• Indonesia: 1
• India: 1
• Hungary: 1
• China: 1

By Industry

• Information Technology and Services: 2
• Clinical Toxicology and Molecular Diagnostics: 1
• Warehousing: 1
• Third-Party Logistics (3PL): 1
• Property Management: 1
• Oil and Gas: 1
• Legal Services: 1
• Law Firms & Legal Services: 1
• Healthcare: 1
• Government: 1

The United States was hit hardest by ransomware attacks today, accounting for over half of all new victims and showing continued targeting of North American entities. Many industries were affected, but no single sector dominated beyond IT and Legal services.

Ransomware News

Topline

Today's ransomware intelligence showed new groups appearing, critical vulnerabilities exploited, operational details of existing threats, and internal conflicts within the ransomware environment.

Campaigns & Operations

The new Vect ransomware-as-a-service (RaaS) operation uses a mature affiliate network, providing a Builder for custom encryptors across Windows, Linux, and ESXi, and is linked to TeamPCP. Meanwhile, Gelatissimo, Australia's largest gelato retailer, confirmed unauthorized network access after claims from the DragonForce ransomware group, which claims to have stolen 352.24 GB of data. Also, the M3RX ransomware group has appeared, and ShinyHunters claimed a data leak from a US interactive media company. A feud between ransomware groups 0APT and KryBit led to both leaking each other's operational data, including admin panels and access logs, offering insight into their infrastructure. Specific incidents included a ransomware attack on Pricon Microelectronics, Inc. (Philippines) affecting servers on April 22, 2026, and a confirmed encryption event at Mam Create Co., Ltd. (Japan) on April 7, 2024. For more information into M3RXDLS, review our threat activity report from April.

Vulnerabilities & TTPs

CISA added two actively exploited flaws to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a high-severity path traversal in ConnectWise ScreenConnect enabling remote code execution, and CVE-2026-32202, a Windows Shell protection mechanism failure that could allow network spoofing. Exploitation of CVE-2024-1708/1709 has been linked to Medusa ransomware campaigns. Separately, Check Point's analysis revealed that Vect 2.0 ransomware, despite its intent, acts as a data wiper for large files due to a design error, making three-quarters of encrypted data unrecoverable across Windows, Linux, and VMware ESXi environments.

Analyst Note

This activity shows the changing nature of ransomware, with RaaS offerings becoming more professional, critical vulnerabilities quickly exploited, and unexpected tactical information emerging from inter-group conflicts.

Technical Takeaways

• Dominant Groups: Aur0ra and Qilin accounted for over 50% of new ransomware victims in the last 24 hours, showing their high activity level.
• Government Targeting: Everest specifically targeted Indonesia's customs analytics platform, showing continued attacks on public sector and critical government infrastructure.
• Wiper Functionality: Vect 2.0 ransomware has been identified as acting as an accidental wiper for large files due to a design flaw, making most encrypted data unrecoverable.
• Key Vulnerability Exploitation: CISA added CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Windows Shell) to its KEV catalog. CVE-2024-1708 is noted for active exploitation in Medusa ransomware campaigns.
• Internal Group Dynamics: The public feud between 0APT and KryBit, involving data leaks of each other's infrastructure, offers insights into ransomware operational practices and affiliate models.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Aur0ra and Qilin were the most active ransomware groups, each claiming six new victims. Other groups like INC_Ransom, M3RXDLS, and Blackwater also recorded activity.

Q: Which industries were most targeted by ransomware today?

The primary industries targeted today were Transportation & Logistics, Education, and Construction & Engineering, based on the victim profiles of the most active ransomware groups.

Q: What geographic regions experienced the most ransomware attacks on April 29, 2026?

The United States was the most targeted geographic region, with 13 new victims. Australia and the United Kingdom followed, each recording two new victims.

Q: Were any new critical vulnerabilities (CVEs) added to CISA's KEV catalog today with ransomware relevance?

Yes, CISA added CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Windows Shell) to its Known Exploited Vulnerabilities catalog. Exploitation of CVE-2024-1708 has been tied to Medusa ransomware operations.

Q: What is notable about the Vect 2.0 ransomware observed today?

Vect 2.0 ransomware has been identified as acting as a data wiper for large files. A design flaw causes the loss of most encryption nonces, making approximately three-quarters of each large file unrecoverable even if a ransom were paid.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/28/2026

Statistical Overview

Victim Totals

• This month: 695
• This quarter: 695
• Year to date: 3315
• Last 24h: 21

Quarterly Breakdown

Q1: 2622 | Q2: 695 | Q3: 0 | Q4: 0

Ransomware activity in Q2 shows a sustained pace, with 695 victims already recorded. While Q1 saw a higher volume, the current quarter's figures indicate persistent threat actor operations, a trend PurpleOps continues to track in its active ransomware groups Q2 report.

Introduction

In the last 24 hours, PurpleOps has identified 21 new ransomware victims, indicating continued pressure on various sectors globally. World_Leaks was the most active group, accounting for four new incidents, followed by INC_Ransom, LeakedData, LockBit, and MNT6, each with two reported victims. This activity aligns with observations from our daily ransomware reports which have previously detailed groups like INC_Ransom. This activity spans diverse industries and geographies, with a concentration in the United States.

Ransomware Summary Table

The summary table reveals World_Leaks as the top actor, primarily targeting Technology/Software and Manufacturing in Brazil and the United States. INC_Ransom, LeakedData, LockBit, and MNT6 maintained consistent activity, impacting sectors such as Legal, Manufacturing, Construction & Engineering, Healthcare, and Transportation & Logistics across the United States, Canada, New Zealand, and Spain. For more insights into LockBit's operations and broader Q2 trends, refer to our latest ransomware threat activity report. No government, military, or critical infrastructure entities were explicitly listed as new victims from these groups in the past 24 hours' data.

Victim Distribution

By Country

• United States: 10
• Italy: 2
• Sweden: 1
• Austria: 1
• Spain: 1
• New Zealand: 1
• Mexico: 1
• Indonesia: 1
• Ghana: 1
• Canada: 1

By Industry

• Legal Services: 2
• None: 1
• Software & Services: 1
• Senior Care Services: 1
• Real Estate: 1
• Mental Health Services: 1
• Law Practice: 1
• Industrial Marking Equipment: 1
• Artificial Intelligence: 1
• Architecture and Planning: 1

The United States continues to bear the brunt of ransomware attacks, accounting for nearly half of the new victims. While Legal Services saw the most explicit targeting, the overall distribution across industries remains highly diversified, reflecting opportunistic or broad-scope targeting by various groups.

Ransomware News

Topline

The past 24 hours saw significant developments, including an arrest linked to the Scattered Spider group, new ransomware incidents impacting public and private sectors, and technical insights into a destructive wiper masquerading as ransomware.

Campaigns & Operations

U.S. authorities reportedly charged a 19-year-old, known as Bouquet, tied to the Scattered Spider group following his arrest in Finland for wire fraud and computer intrusion related to multiple high-profile extortions, including Caesars and MGM Resorts. The DragonForce group claimed a 352.24 GB data theft from Australian ice-cream franchise Gelatissimo, while ShinyHunters alleged a breach of medical device maker Medtronic, claiming 9 million records. Kent District Library in Michigan reported a ransomware incident leading to branch closures and system lockdowns.

Vulnerabilities & TTPs

Check Point researchers described VECT 2.0, a "ransomware" variant that functions as a data wiper due to flawed ChaCha20-IETF encryption, irreversibly destroying files over 131KB across Windows, Linux, and ESXi. This operation features an affiliate program and anti-analysis checks. A Q4 2025 report on European industrial automation systems described sharp regional divergences in threat exposure, with Southern Europe facing high rates of targeted OT attacks via email and phishing, including ransomware growth in Greece.

Analyst Note

Ransomware continues to change, from destructive wiper functions to persistent social engineering tactics. The attack surface also varies widely, from enterprise IT to operational technology.

Technical Takeaways

1. World_Leaks continues its high operational tempo, focusing on Technology/Software and Manufacturing.
2. The reported VECT 2.0 operation shows the emergence of data wipers disguised as ransomware, complicating incident response with irreversible data destruction.
3. Geographic targeting remains broad, with the United States as a primary target, but significant activity observed across Europe, Canada, and New Zealand.
4. Scattered Spider's continued reliance on social engineering and MFA bombing for credential harvesting remains a pervasive TTP for high-value extortion.
5. The healthcare and legal sectors show persistent vulnerability, as evidenced by LockBit's targeting of healthcare and LeakedData/CL0P impacting legal services.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

A: In the past 24 hours, World_Leaks was the most active ransomware group, claiming four new victims. Following them were INC_Ransom, LeakedData, LockBit, and MNT6, each responsible for two newly reported incidents.

Q: What industries were most targeted by ransomware today?

A: Legal Services saw the highest explicit concentration of new victims with two reported incidents. However, the overall targeting was highly diversified, affecting Manufacturing, Technology/Software, Healthcare, Construction & Engineering, and Media & Entertainment.

Q: What geographic regions experienced the most ransomware attacks today?

A: The United States was the most targeted country, accounting for 10 out of the 21 new victims. Other affected regions included Italy, Sweden, Austria, Spain, New Zealand, Mexico, Indonesia, Ghana, and Canada, each reporting 1-2 incidents.

Q: Are there any new ransomware variants or important TTPs observed?

A: Yes, the VECT 2.0 "ransomware" was identified as functioning as a data wiper across Windows, Linux, and ESXi systems due to flawed encryption, rendering data irrecoverable. The arrest linked to Scattered Spider showed their continued reliance on social engineering and MFA bombing.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/27/2026

Statistical Overview

Victim Totals

• This month: 674
• This quarter: 674
• Year to date: 3294
• Last 24h: 62

Quarterly Breakdown

Ransomware activity continues into Q2 at a steady pace, with 62 new victims recorded in the last 24 hours. The current quarter's total of 674 victims shows consistent operations from various threat groups.

Introduction

In the past 24 hours, 62 new ransomware victims were identified. Lapsus (14), DragonForce (13), APT73 (8), The_Gentelman (7), and Qilin were the most active groups (6 victims). The United States had the largest share of new targets. Affected sectors included Education, Pharmaceuticals & Biotech, and Financial Services. For broader context on recent trends, see our Ransomware Threat Activity Update from April 26.

Ransomware Summary Table

Lapsus was the most active group today, impacting entities in Switzerland and Spain, predominantly in Education and Pharmaceuticals. DragonForce and APT73 also showed high activity, targeting Pharmaceuticals, Financial Services, and Transportation in the United States, Australia, Egypt, and Saudi Arabia. A significant target was the Rural municipality of Gimli by Payload in Canada, showing continued interest in government and public sector entities. Qilin also continued its operations, as detailed in our Ransomware Threat Activity Update from April 25, with 6 new victims today.

Victim Distribution

By Country

• United States: 20
• France: 5
• United Kingdom: 4
• Canada: 4
• Germany: 3
• Singapore: 2
• Italy: 2
• Japan: 2
• Saudi Arabia: 2
• Spain: 1

By Industry

• Manufacturing: 3
• Healthcare: 3
• Retail: 3
• Education: 3
• Insurance: 2
• Textile Manufacturing: 2
• Non-profit Organization: 2
• Software Development: 2
• Oil and Gas: 2
• Healthcare Information Services: 1