Ransomware Report - 04/24/2026
Statistical Overview
Victim Totals
- This month: 583
- This quarter: 583
- Year to date: 3204
- Last 24h: 25
Quarterly Breakdown
| Q1: 2622 | Q2: 583 | Q3: 0 | Q4: 0 |
|---|
Q2 activity began with 583 victims so far, contributing to the overall year-to-date total of 3204. The past 24 hours saw a steady number of new victims across various groups, showing global ransomware operations continue.
Introduction
The past 24 hours recorded 25 new ransomware victims, contributing to a year-to-date total of 3204. Qilin, Payload, and The_Gentleman were the most active groups, collectively accounting for 13 of the new incidents. The United States was the most targeted country. Financial Services, Transportation & Logistics, Education, and Healthcare sectors also experienced activity. For more insights into current threat actors, refer to our analysis on active ransomware groups.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 5 | B to b visions, City of napoleon, ohio, Clearview intelligence (+2) | United States, United Kingdom | Financial Services, Transportation & Logistics |
| 2 | Payload | 4 | B3-bruck.at, Caravaningcity.com, Meditron.com.ve (+1) | Spain, Austria | Education, Healthcare |
| 3 | The Gentelman | 4 | Coralina, Eec group, Lawson software (+1) | Thailand, Egypt | Construction & Engineering, Professional Services |
| 4 | INC Ransom | 2 | Dorotea Sweden, tlctrialteam.com | Sweden, United States | Government / Public Sector, Legal |
| 5 | LockBit | 2 | heinrichs-logistic.de, merlo.de | Germany | Transportation & Logistics, Manufacturing |
| 6 | SLSH | 2 | Adt, inc. (adt.com), Udemy, inc. (udemy.com) | United States | Professional Services, Technology / Software |
| 7 | AiLock | 1 | Mother's market & kitchen | United States | Retail & Ecommerce |
| 8 | Akira | 1 | Rockville fuel & feed | United States | Manufacturing |
| 9 | Beast | 1 | Lessard dental | Canada | Healthcare |
| 10 | Insomnia | 1 | Meto systems | United States | Manufacturing |
| 11 | PayoutsKing | 1 | Flynn group | United States | Professional Services |
| 12 | RansomHouse | 1 | Star Energy Geothermal Salak | Indonesia | Energy & Utilities |
Qilin, Payload, and The_Gentleman were the most active ransomware groups over the last 24 hours. They targeted various industries and regions. Qilin focused on Financial Services and Transportation in the United States and United Kingdom. Payload impacted Education and Healthcare entities in Spain and Austria, while The_Gentleman concentrated on Construction and Professional Services across Thailand and Egypt. Qilin's activity, which included an incident against the "City of napoleon, ohio," aligns with observations detailed in our recent Qilin ransomware threat activity report. Incidents also include "Dorotea Sweden" targeted by INC Ransom and "Star Energy Geothermal Salak" in Indonesia compromised by RansomHouse, showing persistent threats to government and critical infrastructure.
Victim Distribution
By Country
- United States: 10
- Germany: 2
- Canada: 2
- Thailand: 1
- Venezuela: 1
- United Kingdom: 1
- Austria: 1
- Sweden: 1
- Spain: 1
- Paraguay: 1
By Industry
- Information Technology and Services: 2
- Legal Services: 2
- Medical Equipment and Healthcare Infrastructure: 1
- Security and Protection Services: 1
- Retail (Grocery), Health Food Store: 1
- Ready-Mixed Concrete Manufacturing: 1
- Industrial Machinery & Equipment: 1
- Government: 1
- Franchising: 1
- Education Technology: 1
The United States was the most targeted country, accounting for 40% of new victims. Various sectors were affected, suggesting attackers were opportunistic rather than focused on specific industries. Information Technology and Legal Services saw repeat hits.
Ransomware News
Topline
Recent threat intelligence shows Trigona ransomware re-emerging with a bespoke exfiltration tool and details a ransomware breach affecting a Hong Kong club.
Campaigns & Operations
Trigona ransomware returned after a 2023 disruption, deploying a custom command-line exfiltration tool, uploader_client.exe, in its March attacks. The tool enables faster data theft by using parallel uploads, rotating connections, and selectively exfiltrating files. Separately, the Yau Yat Chuen Garden City Club in Hong Kong disclosed a ransomware breach from October 28, 2025, impacting over 9,000 individuals due to vulnerabilities in outdated remote-access software and weak security controls.
Vulnerabilities & TTPs
Trigona's custom uploader_client.exe shows a shift from public tools to proprietary tools for covert data exfiltration. It uses techniques like kernel drivers (e.g., HRSword) to disable security. The Hong Kong club incident was attributed to compromised service-provider credentials exploiting an outdated remote-access software vulnerability, alongside dated antivirus and firewall protections.
Analyst Note
These incidents show the continued use of sophisticated data exfiltration tactics and the persistent risk from unpatched software and inadequate organizational security.
What are the main technical observations from today's ransomware activity?
- Custom Exfiltration Tools: The return of Trigona ransomware with a proprietary
uploader_client.exeshows a move from publicly available tools for data exfiltration, suggesting efforts to evade detection and speed up data theft. - Vulnerabilities in Older Systems: The Yau Yat Chuen Garden City Club breach shows that outdated remote-access software with known vulnerabilities, and weak authentication and security controls, continues to be the main way ransomware gets in.
- Diverse Targeting: While the United States was the most targeted country, the diverse geographic spread of victims, from Austria and Spain to Thailand and Indonesia, shows broad targeting by active ransomware groups.
- Government and Critical Infrastructure Remain Targets: Incidents involving "City of napoleon, ohio," "Dorotea Sweden," and "Star Energy Geothermal Salak" show that government and critical energy infrastructure sectors continue to face direct ransomware threats.
- Established and Emerging Groups Show Steady Activity: Groups like LockBit continue to be active, as do emerging groups like Payload and The_Gentleman. This adds to the steady number of new victims daily. LockBit continues to post new victims, reflecting broader trends often covered in our latest ransomware threat activity reports.
