DreamFyre Ransomware: 43 New Victims in 24h
Statistical Overview
Victim Totals
- This month: 745
- This quarter: 2288
- Year to date: 4909
- Last 24h: 63
Quarterly Breakdown
Q1: 2631 | Q2: 2288 | Q3: 0 | Q4: 0
Ransomware activity is high, with 63 new victims identified. DreamFyre is the main cause of this activity, accounting for most reported incidents.
Introduction
The ransomware field saw 63 new victims added to leak sites, mainly caused by DreamFyre with 43 reported incidents, followed by Settra with 11. Targeted sectors included Technology/Software, Telecommunications, and Legal Services, with activity observed in the United States and Turkey.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | DreamFyre | 43 | 165, 2025_it, Adana i̇mamoğlu bahçe (+40) | None, Brazil | Technology / Software, Telecommunications |
| 2 | Settra | 11 | Canopybrands.us, Conduril.pt, Doosan.com (+8) | Taiwan, United States | Technology / Software, Construction & Engineering |
| 3 | INC Ransom | 3 | callhorton.com, johndufourlaw.com, theswansonlawgroup.com | United States | Legal |
| 4 | REDACT | 2 | Fcci insurance group, Hologic | United States | Insurance, Technology / Software |
| 5 | 3AM | 1 | Acemacon.org | United States | Education |
| 6 | DragonForce | 1 | Aptora | United States | Technology / Software |
| 7 | Stormous | 1 | Data leak update new | Australia | Technology / Software |
| 8 | The Gentlemen | 1 | Ayres carr & sullivan, p.c. | United States | Legal |
DreamFyre had significantly more victims than other operators with 43, mainly targeting Technology/Software and Telecommunications organizations, including entities in Brazil. Settra was the second most active group, attacking various sectors such as Technology/Software and Construction & Engineering, with victims in Taiwan and the United States. INC Ransom focused on the Legal sector within the United States, which shows some groups have specialized targeting.
Victim Distribution
By Country
- United States: 24
- Turkey: 16
- None: 8
- China: 2
- Germany: 2
- South Korea: 1
- Brazil: 1
- Czech Republic: 1
- Greece: 1
- Japan: 1
By Industry
- None: 9
- Legal Services: 4
- Software Development: 2
- Food and Beverage: 2
- Manufacturing: 2
- Health, Wellness & Fitness: 1
- Motor Vehicle Manufacturing: 1
- Public Relations and Communications: 1
- Research and Development: 1
- Advertising Services: 1
The data indicates a continued high number of ransomware incidents within the United States; Turkey also experienced a significant volume of attacks. Industry targeting remains diverse, though Technology/Software and Legal Services sectors have more reported compromises.
Ransomware News
Topline
Recent intelligence shows two challenges: third-party supply chain vulnerabilities and the professionalization of cybercrime through access brokers.
Campaigns & Operations
Woodgnat hackers are deploying Backdoor.Mistic (Mistic RAT) to establish hidden network footholds, acting as initial access brokers for ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Separately, the education sector faces a threat from third-party breaches, as evidenced by 1,252 breaches last year, with 65% involving ransomware and 71% stemming from web application compromises like the MOVEit incidents.
Vulnerabilities & TTPs
Mistic RAT employs a multi-stage PowerShell chain, network mapping, data exfiltration via Curl, and in-memory execution using DLL sideloading and fake login screens for credential harvesting. The education sector's vulnerability often results from reliance on web applications and interconnected third-party vendors.
Technical Takeaways
- DreamFyre was the most prolific ransomware operator, accounting for 43 of 63 reported victims, with a focus on Technology/Software and Telecommunications.
- Initial access brokers, exemplified by Woodgnat's deployment of Mistic RAT, industrialize the cybercrime ecosystem by providing ransomware gangs with pre-established network access.
- The education sector is highly susceptible to ransomware, with third-party breaches and web application vulnerabilities causing many incidents.
- Geographically, the United States and Turkey were key targets, while industries like Technology/Software and Legal Services had concentrated attacks.
- Access brokers using Mistic RAT employ advanced tradecraft, including multi-stage PowerShell, DLL sideloading, and credential harvesting, to maintain stealth and persistence.