Diverse Ransomware Activity Sees 14 New Victims
Statistical Overview
Victim Totals
- This month: 99
- This quarter: 1645
- Year to date: 4270
- Last 24h: 14
Quarterly Breakdown
Q1: 2631 | Q2: 1645 | Q3: 0 | Q4: 0
Ransomware activity maintains a consistent pace, with this quarter's victim count indicating sustained threat actor operations. The total new victims in the last 24 hours align with a steady pattern observed across the year.
Introduction
The past 24 hours saw 14 new ransomware victims reported, reflecting ongoing threat actor operations across various sectors. Active groups included Akira (2), DragonForce (2), Genesis (2), and INC Ransom (2), alongside others like Anubis (1). Primary targets were concentrated in the Manufacturing, Healthcare, and Financial Services sectors, with the United States remaining the most frequently impacted geography.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Akira | 2 | National standard parts associates, Northern ohio regional multiple listing service | United States | Technology / Software, Manufacturing |
| 2 | DragonForce | 2 | Copamex, Sets solutions | Lebanon, Mexico | Technology / Software, Manufacturing |
| 3 | Genesis | 2 | Family medical associates of raleigh, Pb white & co | United States | Healthcare, Financial Services |
| 4 | INC Ransom | 2 | CUSTOMSIGN, pdcbodynits | United States, Singapore | Manufacturing |
| 5 | Anubis | 1 | Singing river health system | United States | Healthcare |
| 6 | CMD | 1 | SeeWriteHear | United States | Media & Entertainment |
| 7 | Medusa Locker | 1 | Baiapai | Singapore | Financial Services |
| 8 | Space Bears | 1 | Sicol | Brazil | Financial Services |
| 9 | Stormous | 1 | Sa2000.com new | Canada | Hospitality & Travel |
| 10 | The Gentelman | 1 | Michigan surgical center | United States | Healthcare |
The summary table illustrates varied ransomware activity, with no single group overwhelmingly dominant in victim count. Akira, Akira ransomware TTP analysis, DragonForce, and INC Ransom each claimed two victims, primarily affecting manufacturing and technology sectors across the United States, Singapore, Lebanon, and Mexico. Groups such as Genesis Group ransomware, Anubis, and The Gentelman continued targeting healthcare and financial services, predominantly in the United States. DragonForce ransomware activity further extended its reach to include financial and manufacturing entities.
Victim Distribution
By Country
- United States: 8
- Singapore: 2
- Brazil: 1
- Canada: 1
- Lebanon: 1
- Mexico: 1
By Industry
- Financial Services: 3
- Healthcare: 2
- Food Service: 1
- Information Technology: 1
- Paper and Forest Product Manufacturing: 1
- Apparel Manufacturing: 1
- Healthcare & Social Services: 1
- Information Services: 1
- Manufacturing: 1
- Publishing: 1
The United States remains a primary target for ransomware operators, accounting for over half of the new victims. Industrially, Manufacturing and Financial Services show the highest concentration of attacks, suggesting continued emphasis on critical and potentially lucrative sectors.
Ransomware News
Topline
Multiple ransomware incidents were reported against local government entities and various organizations. The US government announced sanctions against cryptocurrency exchanges for facilitating ransomware payments.
Campaigns & Operations
Bowman, North Dakota Parks & Recreation experienced a ransomware attack leading to encrypted files, which were subsequently decrypted with expert assistance. In South Korea, Qilin ransomware targeted an automation equipment company, Nova ransomware affected a university's AI department, and Black X was observed in a data-extortion leak against a plastic surgery clinic. The National Federation of Subpostmasters (UK) also suffered a ransomware attack. Globally, the upcoming FIFA World Cup 2026 is projected to face increased threats, with high ransomware activity expected, particularly in the US and Canada. The US Treasury's OFAC sanctioned Nobitex, a major Iranian crypto exchange, for facilitating payments tied to IRGC-linked ransomware and sanctions evasion as part of the "Economic Fury" campaign, which also targeted other exchanges.
Vulnerabilities & TTPs
The ransomware attack on the National Federation of Subpostmasters stemmed from the exploitation of a critical vulnerability in the cPanel hosting control panel used by its web hosting provider. This period also shows the persistent use of dark-web channels for data leakage and extortion by various threat actors.
Analyst Note
These developments show the persistent and diversified threats posed by ransomware and its supporting financial infrastructure to a broad array of targets globally.
Technical Takeaways
- Ransomware activity remains distributed across numerous groups, with Akira, DragonForce, Genesis, and INC Ransom leading in victim counts.
- Manufacturing, Financial Services, and Healthcare continue to be highly targeted sectors, indicating a focus on critical and high-value industries.
- The United States accounts for the majority of reported new ransomware victims, showing its significant threat landscape.
- Exploitation of vulnerabilities in common infrastructure, such as cPanel hosting control panels, remains a key initial access vector for some campaigns.
- Efforts to disrupt ransomware financing continue, as evidenced by US sanctions against cryptocurrency exchanges facilitating illicit payments.
