Icarus Ransomware Leads Activity with 5 Victims
Statistical Overview
Victim Totals
- This month: 624
- This quarter: 2167
- Year to date: 4788
- Last 24h: 22
Quarterly Breakdown
Q1: 2631 | Q2: 2167 | Q3: 0 | Q4: 0
Ransomware activity remains consistent. Q2 figures track slightly below Q1, but groups like Icarus, APT73, and Akira still add to daily victim counts. For more on current trends, see Ransomware Attack Trends and Forecasts for 2024.
Introduction
In the last 24 hours, 22 new ransomware victims were reported. The most active groups were Icarus (5 victims), APT73 (3 victims), and Akira (2 victims). Primary affected sectors included Professional Services, Transportation & Logistics, and Manufacturing, with the United States remaining the most frequently targeted country.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Icarus | 5 | Cbassociations, Cqcrm, Gms-net (+2) | None, United States | Professional Services, Insurance |
| 2 | APT73 | 3 | Gov.br, Kliknklik.com, Viennaairport.com | Brazil, Austria | Transportation & Logistics, Retail & Ecommerce |
| 3 | Akira | 2 | Ih engineers, Leo international | United States | Manufacturing, Construction & Engineering |
| 4 | Brain Cipher | 2 | Eggetttax.ca, Sterlinggloballtd.com | Bahamas, Canada | Professional Services, Financial Services |
| 5 | Chaos | 2 | Graymont.com, Randa.net | United States, Canada | Professional Services, Retail & Ecommerce |
| 6 | Nova (RALord) | 2 | Cloudquantum, Ftl-fast transit line | India, Belgium | Transportation & Logistics, Technology / Software |
| 7 | Aur0ra | 1 | Corporación primax s.a. | Peru | Energy & Utilities |
| 8 | CMD | 1 | EON Meditech Pvt | India | Manufacturing |
| 9 | INC Ransom | 1 | belpointeasset.com \ belpointe.com | United States | Financial Services |
| 10 | Interlock | 1 | Reynella east college | Australia | Education |
| 11 | Qilin | 1 | Schumacher homes | United States | Construction & Engineering |
| 12 | SafePay | 1 | Ehg.bayern | Germany | Energy & Utilities |
Icarus was the most active group, primarily targeting Professional Services and Insurance sectors in the United States. APT73 impacted critical infrastructure and government entities, including Gov.br in Brazil and Viennaairport.com in Austria, within Transportation & Logistics. Akira, Brain Cipher, and Chaos also contributed to activity, affecting sectors such as Manufacturing, Construction & Engineering, and Financial Services across countries like Canada, India, and Peru. SafePay listed a potentially critical target, Ehg.bayern, related to Energy & Utilities in Germany.
Victim Distribution
By Country
- United States: 8
- India: 2
- Canada: 2
- None: 1
- Switzerland: 1
- Peru: 1
- Australia: 1
- Indonesia: 1
- Germany: 1
- Brazil: 1
By Industry
- None: 1
- Wholesale Distribution: 1
- Manufacturing: 1
- Investment Management: 1
- Insurance Services: 1
- Cybersecurity: 1
- Construction: 1
- Civil Engineering: 1
- Apparel and Accessories: 1
- AI-driven Communications Solutions: 1
The United States remains the primary target country. Many industries were affected, with Professional Services, Construction & Engineering, and Transportation & Logistics consistently targeted.
Ransomware News
Topline - Recent ransomware activity shows persistent data theft campaigns, new extortion tactics, and growing legal consequences for compromised organizations.
Campaigns & Operations - The FortiBleed operation, active since February, continues to use a Golang-based tool called FortigateSniffer to passively harvest credentials from FortiGate firewalls, impacting SMBs and IT services globally. The Shinyhunters ransomware group was attributed to a data breach affecting Madison Square Garden and the New York Knicks. Drug maker Novo Nordisk is facing proposed federal class-action lawsuits after FulcrumSec and TheUSERS007 claimed exfiltration of 1.3 terabytes of data, including patient PHI/PII and proprietary AI models.
Vulnerabilities & TTPs - Attackers in the FortiBleed operation abuse the FortiOS diagnostic command -diagnose sniffer packet to capture authentication traffic for credential harvesting from FortiGate firewalls. A new extortion tactic involves ransom notes that specifically name the victim's business competitors, drawing information directly from exfiltrated data.
Analyst Note - These events show the changing methods of initial access, the varied impact of data breaches, and the legal and reputational fallout organizations now face. More insights into these changes are available in The Evolution of Ransomware Tactics and Techniques.
Technical Takeaways
- Icarus was the most active ransomware group, accounting for 5 new victims.
- The United States was the most targeted geography, with 8 reported victims.
- Professional Services, Transportation & Logistics, and Manufacturing were among the most frequently impacted sectors.
- APT73 demonstrated targeting of critical infrastructure and government entities in Brazil and Austria.
- The FortiBleed operation exploits FortiGate firewalls by abusing diagnostic commands to harvest credentials.
- A new extortion tactic involves ransom notes directly naming the victim's competitors, leveraging exfiltrated data.
- Data breaches, particularly involving PHI/PII and proprietary AI models, are leading to significant federal class-action lawsuits against affected companies.