Ransomware Report - 04/28/2026
Statistical Overview
Victim Totals
- This month: 695
- This quarter: 695
- Year to date: 3315
- Last 24h: 21
Quarterly Breakdown
Q1: 2622 | Q2: 695 | Q3: 0 | Q4: 0
Ransomware activity in Q2 shows a sustained pace, with 695 victims already recorded. While Q1 saw a higher volume, the current quarter's figures indicate persistent threat actor operations, a trend PurpleOps continues to track in its active ransomware groups Q2 report.
Introduction
In the last 24 hours, PurpleOps has identified 21 new ransomware victims, indicating continued pressure on various sectors globally. World_Leaks was the most active group, accounting for four new incidents, followed by INC_Ransom, LeakedData, LockBit, and MNT6, each with two reported victims. This activity aligns with observations from our daily ransomware reports which have previously detailed groups like INC_Ransom. This activity spans diverse industries and geographies, with a concentration in the United States.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | World Leaks | 4 | Birtcher anderson & davis, Carma packaging, Dime distribuidora (+1) | Brazil, United States | Technology / Software, Manufacturing |
| 2 | INC Ransom | 2 | sumacinc.com, www.durable-tech.com | United States | Construction & Engineering, Manufacturing |
| 3 | LeakedData | 2 | Floyd skeren manukian langevin, llp, Floyd skeren manukian langevin, llp information | United States | Legal |
| 4 | LockBit | 2 | instapack.es, stllc.org | Spain, United States | Healthcare, Transportation & Logistics |
| 5 | MNT6 | 2 | McKay, Silfab Solar | Canada, New Zealand | Construction & Engineering, Manufacturing |
| 6 | Qilin | 2 | Leone film group spa, Lifeline pcs | United States, Italy | Media & Entertainment, Healthcare |
| 7 | APT73 | 1 | Providentgh.com | Ghana | Insurance |
| 8 | CL0P | 1 | Injurylawyers.com | United States | Legal |
| 9 | DragonForce | 1 | Promotion ab | Sweden | Professional Services |
| 10 | Everest | 1 | Super ai | United States | Technology / Software |
| 11 | Krybit | 1 | Moser-spiel.at | Austria | Manufacturing |
| 12 | M3RXDLS | 1 | Rotak.it | Italy | Automotive |
The summary table reveals World_Leaks as the top actor, primarily targeting Technology/Software and Manufacturing in Brazil and the United States. INC_Ransom, LeakedData, LockBit, and MNT6 maintained consistent activity, impacting sectors such as Legal, Manufacturing, Construction & Engineering, Healthcare, and Transportation & Logistics across the United States, Canada, New Zealand, and Spain. For more insights into LockBit's operations and broader Q2 trends, refer to our latest ransomware threat activity report. No government, military, or critical infrastructure entities were explicitly listed as new victims from these groups in the past 24 hours' data.
Victim Distribution
By Country
- United States: 10
- Italy: 2
- Sweden: 1
- Austria: 1
- Spain: 1
- New Zealand: 1
- Mexico: 1
- Indonesia: 1
- Ghana: 1
- Canada: 1
By Industry
- Legal Services: 2
- None: 1
- Software & Services: 1
- Senior Care Services: 1
- Real Estate: 1
- Mental Health Services: 1
- Law Practice: 1
- Industrial Marking Equipment: 1
- Artificial Intelligence: 1
- Architecture and Planning: 1
The United States continues to bear the brunt of ransomware attacks, accounting for nearly half of the new victims. While Legal Services saw the most explicit targeting, the overall distribution across industries remains highly diversified, reflecting opportunistic or broad-scope targeting by various groups.
Ransomware News
Topline
The past 24 hours saw significant developments, including an arrest linked to the Scattered Spider group, new ransomware incidents impacting public and private sectors, and technical insights into a destructive wiper masquerading as ransomware.
Campaigns & Operations
U.S. authorities reportedly charged a 19-year-old, known as Bouquet, tied to the Scattered Spider group following his arrest in Finland for wire fraud and computer intrusion related to multiple high-profile extortions, including Caesars and MGM Resorts. The DragonForce group claimed a 352.24 GB data theft from Australian ice-cream franchise Gelatissimo, while ShinyHunters alleged a breach of medical device maker Medtronic, claiming 9 million records. Kent District Library in Michigan reported a ransomware incident leading to branch closures and system lockdowns.
Vulnerabilities & TTPs
Check Point researchers described VECT 2.0, a "ransomware" variant that functions as a data wiper due to flawed ChaCha20-IETF encryption, irreversibly destroying files over 131KB across Windows, Linux, and ESXi. This operation features an affiliate program and anti-analysis checks. A Q4 2025 report on European industrial automation systems described sharp regional divergences in threat exposure, with Southern Europe facing high rates of targeted OT attacks via email and phishing, including ransomware growth in Greece.
Analyst Note
Ransomware continues to change, from destructive wiper functions to persistent social engineering tactics. The attack surface also varies widely, from enterprise IT to operational technology.
Technical Takeaways
- World_Leaks continues its high operational tempo, focusing on Technology/Software and Manufacturing.
- The reported VECT 2.0 operation shows the emergence of data wipers disguised as ransomware, complicating incident response with irreversible data destruction.
- Geographic targeting remains broad, with the United States as a primary target, but significant activity observed across Europe, Canada, and New Zealand.
- Scattered Spider's continued reliance on social engineering and MFA bombing for credential harvesting remains a pervasive TTP for high-value extortion.
- The healthcare and legal sectors show persistent vulnerability, as evidenced by LockBit's targeting of healthcare and LeakedData/CL0P impacting legal services.
