Ransomware Report - 04/23/2026
Statistical Overview
Victim Totals
- This month: 558
- This quarter: 558
- Year to date: 3179
- Last 24h: 19
Quarterly Breakdown
Q1: 2622 | Q2: 558 | Q3: 0 | Q4: 0
Ransomware activity continues into Q2, with 558 victims already reported this quarter. This consistent activity places pressure on global organizations. The 19 new victims in the last 24 hours show ongoing threat actor operations.
Introduction
In the past 24 hours, PurpleOps observed 19 new ransomware victims, driven by groups such as CoinbaseCartel and INC Ransom, among others. The United States remains the most targeted country, with the Professional Services, Government/Public Sector, and Technology/Software sectors experiencing significant impact. Threat actors continue to diversify their approaches, using social engineering tactics and experimenting with new encryption techniques.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | CoinbaseCartel | 7 | Aptim, Integer holdings, Kementerian pertanian (+4) | Brazil, Indonesia | Government / Public Sector, Technology / Software |
| 2 | INC Ransom | 3 | krwlawyers.com, teamster773.org, trugreen.com | United States | Nonprofit, Professional Services |
| 3 | Akira | 2 | Alkegen, Gumpp kunststoffe | United States, Germany | Retail & Ecommerce, Manufacturing |
| 4 | Anubis | 1 | Marnell financial services | None | Professional Services |
| 5 | BlackShrantac | 1 | Lenmax | France | Professional Services |
| 6 | Bravox | 1 | 1st solution ctc ?? | Germany | Professional Services |
| 7 | DragonForce | 1 | Incyte | United States | Pharmaceuticals & Biotech |
| 8 | Kairos | 1 | Gregory jewellers | Australia | Retail & Ecommerce |
| 9 | LeakedData | 1 | Jackson lewis | United States | Legal |
| 10 | World Leaks | 1 | Virginia health services | United States | Healthcare |
CoinbaseCartel was the most active group, accounting for seven new victims, targeting government and technology entities across Brazil and Indonesia. INC Ransom and Akira followed, focusing on Professional Services and manufacturing sectors primarily in the United States and Germany. A high-value breach includes Kementerian pertanian (Ministry of Agriculture) in Indonesia by CoinbaseCartel. This indicates persistent targeting of public-sector institutions.
Victim Distribution
By Country
- United States: 10
- Germany: 2
- Australia: 1
- Peru: 1
- None: 1
- Indonesia: 1
- France: 1
- Canada: 1
- Brazil: 1
By Industry
- Biopharmaceuticals: 1
- Specialty Materials Manufacturing: 1
- Medical Equipment Manufacturing: 1
- Medical Devices: 1
- Legal Services: 1
- Legal Practice: 1
- Lawn Care Services: 1
- Labor Union: 1
- Healthcare: 1
- Environmental Services: 1
The United States continues to experience the highest concentration of ransomware attacks, consistent with historical trends. While the industries targeted today are diverse, Professional Services appeared multiple times. This suggests either an opportunistic or strategic approach to targeting business operations.
Ransomware News
Today's intelligence shows continuous evolution and diversity in ransomware operations, with technical advancements and new actors emerging.
Topline
Threat actors are employing social engineering and established ransomware-as-a-service (RaaS) models, alongside technical capabilities, to compromise organizations across various sectors, while also exploring new encryption methods.
Campaigns & Operations
The data exfiltration group ShinyHunters claimed breaches against a major U.S. convenience-store chain and a U.S. software development firm. This signals cross-sector risks related to dark web monitoring and data exfiltration. ASEC introduced Prinz Eugen, a new data-extortion group. "The Gentlemen" ransomware-as-a-service (RaaS) outfit has rapidly risen since mid-2025, deploying a GO-written, cross-platform locker, using SystemBC SOCKS5 proxy for covert operations, and showing an enterprise-scale intrusion capability via Active Directory Group Policy. Genealogy SA, an Australian nonprofit, confirmed a cyber incident with SafePay claiming exfiltrated data, while LockBit was speculatively linked to a February technology outage in Orange, Virginia.
Vulnerabilities & TTPs
Social engineering remains a critical vector, with the M&S breach showing how a single password reset, achieved via social engineering against a service desk, can lead to legitimate credential exfiltration and subsequent ransomware deployment. Kyber ransomware variants, analyzed by Rapid7, showcase technical experimentation, including a Windows build written in Rust that incorporates Kyber1024 for symmetric key protection and an experimental Hyper-V targeting option, alongside multi-platform capabilities for VMware ESXi environments. The Gentlemen group employs antivirus killers and complex infection chains for lateral movement.
Technical Takeaways
- Persistence in Professional Services Targeting: Professional Services firms consistently appear among the top targeted industries. This indicates either opportunistic attacks or a strategic focus on entities handling sensitive client data.
- Rise of New and Advanced Groups: The rapid ascent of "The Gentlemen" and the emergence of "Prinz Eugen" show a changing threat environment with new actors bringing advanced capabilities, including GO-written malware and advanced lateral movement.
- Experimentation with Post-Quantum Cryptography: Kyber ransomware's implementation of Kyber1024 in its Windows variant, even if experimental, demonstrates a forward-looking approach by threat actors to encryption methodologies, potentially anticipating future cryptographic shifts.
- Social Engineering as a Primary Vector: The M&S breach shows that social engineering, around password resets, remains an effective initial access technique, leading to significant financial and operational impact.
- Geographic Concentration in the United States: The United States continues to be the most frequently targeted country, suggesting a sustained focus by ransomware groups on U.S.-based organizations.
FAQ
Q: Which ransomware groups were most active today, 04/23/2026?
CoinbaseCartel was the most active ransomware group in the past 24 hours, responsible for 7 new victims. INC Ransom followed with 3 victims, and Akira reported 2 new victims during this period.
Q: What industries were most targeted by ransomware today?
In the last 24 hours, Professional Services was a frequently targeted sector, with groups like INC Ransom, Anubis, and BlackShrantac impacting multiple organizations. Government/Public Sector and Technology/Software also saw targeting, especially by CoinbaseCartel.
Q: What geographic regions saw the most ransomware attacks in the last 24 hours?
The United States experienced the highest number of ransomware victims today, with 10 reported incidents. Germany followed with 2 victims, and Brazil, Indonesia, France, Australia, Peru, and Canada each reported one new victim.
Q: Were any new ransomware groups identified or highlighted in today's intelligence report?
Yes, today's intelligence introduced Prinz Eugen as a new data-extortion group. "The Gentlemen" ransomware-as-a-service outfit was also highlighted for its rapid ascent since mid-2025 and advanced technical capabilities, placing it among top-tier actors.
Q: What technical trends or tactics did threat actors employ in recent ransomware activity?
Recent activity showcases several key technical trends, including Kyber ransomware's experimentation with post-quantum encryption (Kyber1024) in its Windows variant and its multi-platform targeting of ESXi environments. Social engineering, for password resets, was also noted as an effective initial access method, leading to credential compromise and subsequent ransomware deployment.